US11070380B2 - Authentication apparatus based on public key cryptosystem, mobile device having the same and authentication method - Google Patents

Authentication apparatus based on public key cryptosystem, mobile device having the same and authentication method Download PDF

Info

Publication number
US11070380B2
US11070380B2 US15/212,343 US201615212343A US11070380B2 US 11070380 B2 US11070380 B2 US 11070380B2 US 201615212343 A US201615212343 A US 201615212343A US 11070380 B2 US11070380 B2 US 11070380B2
Authority
US
United States
Prior art keywords
authentication
opponent
certificate
response
challenge
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active, expires
Application number
US15/212,343
Other versions
US20170099151A1 (en
Inventor
Kitak Kim
Ji-su Kang
Kiseok Bae
Jonghoon SHIN
KyoungMoon AHN
Jinsu HYUN
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Samsung Electronics Co Ltd
Original Assignee
Samsung Electronics Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from KR1020150168664A external-priority patent/KR102458351B1/en
Application filed by Samsung Electronics Co Ltd filed Critical Samsung Electronics Co Ltd
Assigned to SAMSUNG ELECTRONICS CO., LTD. reassignment SAMSUNG ELECTRONICS CO., LTD. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: HYUN, JINSU, SHIN, JONGHOON, AHN, KYOUNGMOON, BAE, KISEOK, KANG, JI-SU, KIM, KITAK
Publication of US20170099151A1 publication Critical patent/US20170099151A1/en
Application granted granted Critical
Publication of US11070380B2 publication Critical patent/US11070380B2/en
Active legal-status Critical Current
Adjusted expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0643Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/14Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3234Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving additional secure or trusted devices, e.g. TPM, smartcard, USB or software token
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3271Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/069Authentication using certificates or pre-shared keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/80Wireless

Definitions

  • the disclosure described herein relates to an authentication apparatus based on a public key cryptosystem, a mobile device having the same, and an authentication method thereof.
  • An internet of things means a technology that allows a variety of things including a sensor and a communication function to connect to an internet.
  • the things are various embedded systems such as a home appliance, a mobile device, a wearable device, and the like.
  • various devices connect to a network for communication and data sharing, and thus the devices provide a service for a user.
  • sensitive data associated with privacy of a user is transmitted through a network and is used at a service.
  • an authentication apparatus identifies another participant of a communication, thereby making it possible to protect privacy through an interaction with an authenticated participant and to provide a service which a user wants.
  • an authentication target is expanded, and thus there is required an authentication between components in a device.
  • a device is not a device in an IoT environment, when a function of a component among components is provided without an authentication, privacy is infringed due to an attack about sensitive data of a user.
  • a fake product is manufactured through the reusing or unauthorized use of a specific component.
  • a function of a genuine product certification is performed by identifying an opponent (e.g., component).
  • a secure service is provided by protecting privacy of a user. Accordingly, there is required a lightweight authentication apparatus which is applied at a device level as well as a component level.
  • Embodiments of the disclosure provide a lightened authentication apparatus, a mobile device having the same, and an authentication method thereof.
  • an authentication apparatus included in a device supporting a network communication may include a certificate handler configured to receive a certificate of an opponent and to parse or verify the certificate of the opponent.
  • Cryptographic primitives receive an authentication request of the opponent to generate a random number in response to the authentication request, generate a challenge corresponding to the random number, and verify a response of the opponent corresponding to the challenge.
  • a shared memory stores the parsed certificate, the random number, the challenge, and the response.
  • An authentication controller controls the certificate handler, the cryptographic primitives, and the shared memory through a register setting according to an authentication protocol.
  • a mobile device may include a first component and a second component. At least one of the first or second components comprises an authentication apparatus.
  • the authentication apparatus may include an authentication handler configured to receive, parse or verify a certificate of an opponent.
  • Cryptographic primitives generate a random number, generate a challenge corresponding to the random number, verify a response of the opponent corresponding to the challenge, or generate a response of the authentication apparatus in response to a challenge of the opponent.
  • a shared memory stores the parsed certificate, the random number, the challenge, and the response.
  • An authentication controller controls the certificate handler, the cryptographic primitives, and the shared memory through a register setting according to an authentication protocol, when the mobile device transmits an authentication request to the opponent or the opponent transmits an authentication request to the mobile device.
  • an authentication method of an authentication apparatus may include receiving an authentication request from an opponent; setting a first register indicating the authentication request to be readable and writable; generating a first challenge in response to the authentication request; setting a second register storing the first challenge to be readable and writable; receiving a response corresponding to the first challenge and a first certificate from the opponent; and setting registers for storing the first certificate, a value for verifying the first certificate, information data, and the first response to be readable and writable.
  • the method further includes verifying the first certificate and the first response and setting registers for storing an intermediate value or a result value, which is obtained in the verifying of the first certificate and the first response, to be readable and writable.
  • an authentication apparatus may receive an authentication request of an opponent, verify a response of the opponent in response to the authentication request, and may generate a response of the authentication apparatus corresponding to a challenge of the opponent.
  • an authentication apparatus includes a hash primitive that generates a challenge in response to an authentication request received from an opponent.
  • a memory device stores the challenge.
  • a control circuit receives the challenge from the memory device and transmits the challenge to the opponent.
  • a certificate handler stores a certificate, received from the opponent in response to the challenge, in the memory device.
  • the control circuit further stores a response, received from the opponent in response to the challenge, in the memory device.
  • a public key accelerator primitive receives the response and certificate from the memory device and verifies the received response and certificate.
  • FIG. 1 is a schematic diagram illustrating a network system for performing an authentication method of devices, each of which includes an authentication apparatus according to an embodiment of the disclosure;
  • FIG. 2 is a block diagram illustrating an authentication apparatus according to an embodiment of the disclosure
  • FIG. 3 is a block diagram illustrating an authentication controller illustrated in FIG. 2 ;
  • FIG. 4 is a block diagram illustrating cryptographic primitives illustrated in FIG. 2 ;
  • FIG. 5 is a block diagram illustrating data areas to be included in a shared memory when an authentication apparatus according to an embodiment of the disclosure performs an authentication protocol
  • FIG. 6 is a block diagram for describing the reuse of input/output values, which are stored in a shared memory, of each of components in at least one of the components when an authentication apparatus according to an embodiment of the disclosure performs an authentication protocol;
  • FIG. 7 is a state machine diagram for describing a procedure of performing a unilateral authentication protocol of an authentication apparatus according to an embodiment of the disclosure
  • FIG. 8 is a table for describing management of internal information rights when an authentication apparatus according to an embodiment of the disclosure performs a unilateral authentication protocol
  • FIG. 9 is a ladder diagram for conceptually describing a unilateral authentication protocol of an authentication apparatus according to an embodiment of the disclosure.
  • FIG. 10 is a block diagram for describing a procedure of receiving an authentication request when an authentication apparatus according to an embodiment of the disclosure performs a unilateral authentication protocol
  • FIG. 11 is a block diagram for describing a procedure of generating a challenge corresponding to an authentication request when an authentication apparatus according to an embodiment of the disclosure performs a unilateral authentication protocol;
  • FIG. 12 is a block diagram for describing a procedure of receiving a public key certificate and a response of an opponent when an authentication apparatus according to an embodiment of the disclosure performs a unilateral authentication protocol;
  • FIG. 13 is a block diagram for describing a procedure of verifying a public key certificate and a response of an opponent when an authentication apparatus according to an embodiment of the disclosure performs a unilateral authentication protocol;
  • FIG. 14 is a state machine diagram for describing a procedure of performing a mutual authentication protocol of an authentication apparatus according to an embodiment of the disclosure
  • FIG. 15 is a table for describing management of internal information rights when an authentication apparatus according to an embodiment of the disclosure performs a mutual authentication protocol
  • FIG. 16 is a ladder diagram for conceptually describing a mutual authentication protocol of an authentication apparatus according to an embodiment of the disclosure.
  • FIG. 17 is a block diagram for describing a procedure of transmitting a public key and a challenge of the authentication apparatus to an opponent when an authentication apparatus according to an embodiment of the disclosure performs a mutual authentication protocol;
  • FIG. 18 is a block diagram for describing a procedure of receiving a public key certificate, a response, and a challenge of an opponent when an authentication apparatus according to an embodiment of the disclosure performs a mutual authentication protocol;
  • FIG. 19 is a block diagram for describing a procedure of generating a response of the authentication apparatus in response to a challenge to an opponent when an authentication apparatus according to an embodiment of the disclosure performs a mutual authentication protocol;
  • FIG. 20 is a block diagram for describing a procedure of generating a shared secret key when an authentication apparatus according to an embodiment of the disclosure performs a mutual authentication protocol
  • FIG. 21 is a block diagram illustrating a mobile device according to an embodiment of the disclosure.
  • FIG. 22 is a schematic diagram illustrating an IoT network system according to an embodiment of the disclosure.
  • An authentication apparatus based on a public key cryptosystem may make it possible to reduce a size of a conventional memory, which each of multiple components independently uses, by sharing a memory and make it possible to eliminate a central processing unit (CPU) or a nonvolatile memory (NVM) by including a dedicated module which performs an authentication protocol. Accordingly, an authentication apparatus may be lightened.
  • CPU central processing unit
  • NVM nonvolatile memory
  • the authentication apparatus may need cryptographic hardware which performs a function, which is necessary to provide a service based on a public key cryptosystem, at high speed.
  • the public key cryptosystem includes a scheme or a protocol including operations of an integer which are based on a cryptographic hard problem requiring a high throughput.
  • the operations of an integer may include a modular addition, a modular subtraction, a modular multiplication, and a modular exponentiation.
  • the operations of an integer may include a point addition, a point doubling, a scalar multiplication, and a message digest which are on an elliptic curve.
  • the authentication apparatus may be implemented by combining an executor of an integer operation and a hash executor for the message digest.
  • each of the components may have a resource overlapped with each other.
  • each of the components may separately need a separate memory (e.g., a static random access memory (SRAM)) to perform a unique function.
  • SRAM static random access memory
  • the memory may be used as a shared memory for optimization and light-weight of an authentication apparatus.
  • a chip size of each of the components may be minimized by storing an internal variable of each of the components in a shared memory.
  • an authentication function of a product such as a flip-cover of a smartphone, a battery, or a power cable may be implemented so as to perform authentication after a service is provided or while a service is provided. When the authentication fails, a corresponding service may be immediately interrupted.
  • the authentication apparatus may not include an independent central processing unit (CPU) for performing authentication based on a public key cryptosystem and a nonvolatile memory (NVM) which stores software (SW) for performing authentication.
  • an internal component of the authentication apparatus may continuously access a shared memory and may operate. Components which independently operate may share a memory with each other and may use the shared memory. At this time, the components may share data, which the components need, through the shared memory.
  • FIG. 1 is a schematic diagram illustrating a network system for authenticating devices A and B each of which includes an authentication apparatus, according to an embodiment of the disclosure.
  • a network system 10 may include a network 11 for a wireless/wired connection among devices A, B, and C.
  • the network 11 may be an internet of things (IoT) network.
  • IoT internet of things
  • FIG. 1 for descriptive convenience, an embodiment of the disclosure is exemplified as three devices A, B, and C connected to the network 11 .
  • the scope and spirit of the disclosure may not be limited thereto.
  • the number of devices connecting to the network 11 may be four or more.
  • the first device A may include a corresponding authentication apparatus 100
  • the second device B may include a corresponding authentication apparatus 200
  • the third device C may not include an authentication apparatus.
  • an authentication method which is performed by the network system 10 for each device may be roughly classified into two manners. That is, there may be a mutual authentication between the device A including the authentication apparatus 100 and the device B including the authentication apparatus 200 and a unilateral authentication between the device A including the authentication apparatus 100 and the device B including the authentication apparatus 200 and between a device A or B including an authentication device 100 or 200 and the device C not including an authentication apparatus.
  • the first device A may be a flip cover encompassing a smartphone
  • the second device B may be a smartphone
  • the third device C may be a device not including an authentication apparatus.
  • an authentication apparatus may be used to perform an internal authentication between first and second components 201 and 202 .
  • the internal authentication may include a mutual authentication or a unilateral authentication, just as with the external authentication.
  • the first component 201 may be a display driver integrated chip (DDI) device
  • the second component 202 may be a display device.
  • An embodiment of the disclosure is exemplified in which a component 201 of the device B includes one authentication apparatus 200 , in FIG. 1 .
  • another component 202 of the device B may include an authentication apparatus.
  • a configuration of the authentication apparatus 100 in the first device A may be similar to a configuration of the authentication apparatus 200 in the second device B.
  • FIG. 1 the network system 10 illustrated in FIG. 1 is exemplified. However, the scope and spirit of the disclosure may not be limited thereto.
  • FIG. 2 is a block diagram illustrating an authentication apparatus 100 according to an embodiment of the disclosure.
  • an authentication apparatus 100 may include a plurality of components 110 , 120 , 130 , and 140 .
  • the authentication apparatus 100 may include an authentication controller 110 , a certificate handler 120 , cryptographic primitives 130 , and a shared memory 140 .
  • the authentication controller 110 may be implemented so as to perform an authentication protocol based on a public key cryptosystem.
  • the authentication protocol may be an external authentication protocol for communicating with an external device or an internal authentication protocol for communicating with an internal component.
  • the authentication controller 110 may directly execute an authentication protocol through a communication with an opponent. For example, to perform an operation which is required when the authentication protocol is performed, the authentication controller 110 may repeatedly call out the components 120 and 130 each of which performs a unit operation. Moreover, the authentication controller 110 may sequentially adjust an operating point in time of each of the components 120 and 130 , and thus the components 110 , 120 , and 130 may share the shared memory 140 .
  • the authentication controller 110 may control the certificate handler 120 , the cryptographic primitives 130 , and a shared memory 140 to allow other components to use a value which is inputted to one component or outputted from one component through the shared memory 140 .
  • the authentication controller 110 may control the certificate handler 120 , the cryptographic primitives 130 , and the shared memory 140 which are for the authentication protocol.
  • the certificate handler 120 may be implemented to manage a public key certificate.
  • the certificate handler 120 may generate, parse, and verify the public key certificate.
  • the certificate handler 120 may parse the public key certificate inputted from the opponent and may store the parsed public key certificate in the shared memory 140 .
  • the certificate handler 120 may receive a public key certificate of the opponent and may verify whether the public key certificate of the opponent is valid, using a root certificate of a certificate authority (CA).
  • CA certificate authority
  • the certificate handler 120 may be implemented so as to frequently and continuously access the shared memory 140 . That is, the certificate handler 120 may be implemented so as to store internal variables for generating or verifying a public key certificate in the shared memory 140 .
  • the cryptographic primitives 130 may be implemented so as to perform a public key encryption operation, to perform a hash operation, or to generate a random number.
  • the cryptographic primitives 130 may generate a challenge in response to an authentication request of the opponent.
  • the challenge may be obtained by inputting a random number to a hash algorithm.
  • the cryptographic primitives 130 may verify a response generated from the opponent in response to the challenge of the authentication apparatus 100 .
  • the response inputted from the opponent may be a signature value obtained by certifying the challenge of the authentication apparatus 100 using a private key of the opponent.
  • the cryptographic primitives 130 may verify the response (or the signature value) of the opponent by decoding the challenge using the response of the opponent and a public key certificate of the opponent.
  • the cryptographic primitives 130 may generate a response (or a signature value) of an authentication apparatus which corresponds to a challenge generated by the opponent.
  • the cryptographic primitives 130 may generate a shared secret using a random number which is generated when an authentication protocol is performed.
  • the cryptographic primitives 130 may be implemented so as to frequently and continuously access the shared memory 140 . That is, the cryptographic primitives 130 may be implemented so as to store internal variables for an encryption operation, a hash operation, or generation of a random number in the shared memory 140 .
  • the shared memory 140 may be implemented so as to store: (1) data for at least one operation of the authentication controller 110 , the certificate handler 120 and the cryptographic primitives 130 , (2) data generated during an operation, or (3) data according to a result of an operation.
  • the shared memory 140 may be implemented with a volatile memory, a nonvolatile memory, or a hybrid memory which is composed of a volatile memory and a nonvolatile memory.
  • the shared memory 140 may be a dynamic random access memory (DRAM), a static random access memory (SRAM), an embedded multimedia card (eMMC), or the like.
  • An input/output control operation of the shared memory 140 may be performed under control of the authentication controller 120 . That is, the authentication controller 120 may include a memory controller for controlling the shared memory 140 .
  • the components 110 , 120 , 130 , and 140 of the authentication apparatus 100 may be implemented so as to connect to each other through data lines 101 , 102 , 103 , 104 , and 105 .
  • Each of the data lines 101 , 102 , 103 , 104 , and 105 may be used as an input/output line for transmitting internal data generated when an authentication protocol is performed.
  • the components 110 , 120 , and 130 of the authentication apparatus 100 may share the shared memory 140 . For this reason, input/output values of any one of the components 110 , 120 , and 130 may be shared by the remaining components. That is, the authentication apparatus 100 according to an embodiment of the disclosure may make it possible to reduce a size of a conventional memory which each of components independently uses, and thus the authentication apparatus 100 may be lightened.
  • the authentication apparatus 100 may include the component 110 dedicated for an authentication protocol, thereby making it possible to eliminate a central processing unit (CPU), which drives software for performing an authentication protocol, or a nonvolatile memory (NVM). That is, the authentication apparatus 100 may be lightened.
  • the authentication apparatus 100 because there is no need to store software for performing an authentication protocol, the authentication apparatus 100 according to an embodiment of the disclosure may make it possible to exclude the possibility that an error of authentication apparatus 100 occurs due to tampering with the software.
  • the authentication apparatus 100 may perform an authentication protocol based on a public key cryptosystem by only using the authentication controller 110 for performing an authentication protocol and the certificate handler 120 for processing a public key certificate.
  • the authentication apparatus 100 may be applied to various devices and components, and thus the authentication apparatus 100 may provide a variety of authentication functions in various environments of the devices.
  • the authentication protocol which the authentication apparatus 100 according to an embodiment of the disclosure supports based on a public key cryptosystem, may be a unilateral authentication and a mutual authentication.
  • a result of an operation of the authentication apparatus 100 may be a result value of an identification of the opponent.
  • a result of an operation of the authentication apparatus 100 may be a result value of an identification of the opponent and a secret value which is used when a session key for a secret communication is generated after the result is generated.
  • the secret value may be shared by the authentication apparatus 100 and the opponent.
  • the authentication apparatus 100 illustrated in FIG. 2 is exemplified. However, the scope and spirit of the disclosure may not be limited thereto.
  • FIG. 3 is a block diagram illustrating an authentication controller 110 illustrated in FIG. 2 .
  • the authentication controller 110 may include registers 112 and a one-time programmable memory 114 .
  • the registers 112 may include a first register 112 - 1 which stores an execution value indicating that the authentication apparatus 100 begins an authentication protocol process, a second register 112 - 2 which stores a preparation value set when an authentication request is received, and a third register 112 - 3 which stores an authentication result value.
  • the first register 112 - 1 When the first register 112 - 1 is set, the authentication apparatus 100 may begin an authentication protocol operation.
  • the second register 112 - 2 may be set.
  • the third register 112 - 3 may be set.
  • the one-time programmable memory 114 may be implemented so as to store a certificate 114 - 1 for the authentication apparatus 100 .
  • the certificate 114 - 1 may include a public key 114 - 2 and a secret key 114 - 3 of the authentication apparatus 100 which are required to perform an authentication protocol based on a public key cryptosystem.
  • the one-time programmable memory 114 may be implemented so as to include a counter measure for protecting the secret key 114 - 3 .
  • the authentication controller 110 illustrated in FIG. 3 is exemplified. However, the scope and spirit of the disclosure may not be limited thereto.
  • FIG. 4 is a block diagram illustrating cryptographic primitives 130 illustrated in FIG. 2 .
  • the cryptographic primitives 130 may include a public key accelerator 131 , a hash function 132 , and a random number generator 133 .
  • the public key accelerator 131 may be implemented so as to perform a modular operation or a point operation used for an authentication protocol.
  • the public key accelerator 131 may connect to the authentication controller 110 through a data line 103 - 1 .
  • the public key accelerator 131 may connect to the shared memory 140 through a data line 104 - 1 .
  • the hash function 132 may be implemented so as to perform a hash algorithm.
  • the hash function 132 may connect to the authentication controller 110 through a data line 103 - 2 .
  • the hash function 132 may connect to the shared memory 140 through a data line 104 - 2 .
  • the random number generator 133 may be implemented so as to generate a random number.
  • the random number generator 133 may connect to the authentication controller 110 through a data line 103 - 3 .
  • the random number generator 133 may connect to the shared memory 140 through a data line 104 - 3 .
  • the data lines 103 - 1 , 103 - 2 , and 103 - 3 may be included in the data line 103 illustrated in FIG. 2
  • the data lines 104 - 1 , 104 - 2 , and 104 - 3 may be included in the data line 104 illustrated in FIG. 2 .
  • FIG. 5 is a block diagram illustrating data areas to be included in a shared memory 140 when an authentication apparatus 100 according to an embodiment of the disclosure performs an authentication protocol.
  • the shared memory 140 may include a first area 141 which stores a challenge of the authentication apparatus 100 generated by the authentication controller 110 when an authentication protocol is performed, a second area 142 which stores a response generated by an opponent in response to the challenge of the authentication apparatus 100 , a third area 143 which stores a parsed certificate from the opponent, a fourth area 144 which stores a challenge transmitted from the opponent, a fifth area 145 which stores a response generated by the an authentication apparatus 100 in response to the challenge of the opponent, a sixth area 146 which stores an intermediate value for an authentication protocol, and a seventh area 147 which stores a hashed value which is a result value of a hash function.
  • the third area 143 may include an area 143 - 1 which stores a public key of the opponent, an area 143 - 2 which stores a value for signature verification, and an area 143 - 3 which stores information data for performing other authentication protocols.
  • FIG. 6 is a block diagram for describing the reuse of input/output values, which are stored in the shared memory 140 , of each of components 110 , 120 , and 130 in at least one of components 110 , 120 , and 130 when an authentication apparatus 100 according to an embodiment of the disclosure performs an authentication protocol.
  • Input/output values of components 110 , 120 , and 130 may be stored, as described below.
  • Input/output values of the public key accelerator 131 may be stored in the sixth area 146 of the shared memory 140 through the data line 104 - 1 .
  • Input/output values of the hash function 132 may be stored in the seventh area 147 of the shared memory 140 through the data line 104 - 2 .
  • Input/output values of the random number generator 133 may be stored in the first area 141 of the shared memory 140 through the data line 104 - 3 .
  • Input/output values of the certificate handler 120 may be stored in the third area 143 of the shared memory 140 through the data line 102 .
  • values stored in the shared memory 140 which are outputted from one component may be reused at another component, as described below.
  • a challenge value stored in the first area 141 may be reused at the hash function 132 through the data line 104 - 5 , and the reused result value may be stored in the seventh area 147 .
  • a hashed value stored in the seventh area 147 may be reused at the public key accelerator 131 through the data line 104 - 6 , and the reused result value may be stored in the sixth area 146 .
  • the parsed certificate of the third area 143 may be reused at the public key accelerator 131 through the data line 104 - 7 , and the reused result value may be stored in the sixth area 146 .
  • the parsed certificate of the third area 143 may be reused at the hash function 132 through the data line 104 - 8 , and the reused result value may be stored in the seventh area 147 .
  • each of the components 110 , 120 , and 130 of the authentication apparatus 100 may frequently and repeatedly access the shared memory 140 and may generate an output value.
  • FIG. 7 is a state machine diagram for describing a procedure of performing a unilateral authentication protocol of an authentication apparatus according to an embodiment of the disclosure. Referring to FIGS. 1 to 7 , a unilateral authentication protocol of the authentication apparatus 100 may be performed as described below.
  • the authentication apparatus 100 may transition to an initial state S 110 . Moreover, a state of the authentication apparatus 100 may be transitioned from an end state S 160 to the initial state S 110 by an initialization operation. Moreover, the state of the authentication apparatus 100 may be transitioned from a fail state S 170 to the initial state S 110 by a reset operation.
  • a state of the authentication apparatus 100 may be transitioned from the initial state S 110 to a wait state S 120 .
  • the authentication apparatus 100 may wait for an authentication request from an opponent which is a target of an authentication protocol at the wait state S 120 .
  • the state of the authentication apparatus 100 may be transitioned to a challenge generation state S 130 .
  • a challenge value may be generated from the random number generator 133 of the cryptographic primitives 130 (refer to FIG. 4 ).
  • the generated challenge value may be transmitted to an external device (i.e., the opponent) which is placed outside the authentication apparatus 100 .
  • the state of the authentication apparatus 100 may be transitioned to a public key & response input state S 140 ; otherwise, the state of the authentication apparatus 100 may be transitioned to the fail state S 170 upon a failure of the challenge value generation S 132 .
  • the public key & response input state S 140 a public key of the opponent, which wants to confirm an authorization, and a response corresponding to the challenge of the authentication apparatus 100 may be transmitted to the authentication apparatus 100 .
  • the state of the authentication apparatus 100 may be transitioned to a public key & response verification state S 150 ; otherwise, the state of the authentication apparatus 100 may be transitioned to the fail state S 170 upon a failure to receive the public key and/or response S 142 .
  • the public key & response verification state S 150 verification may be performed with respect to the public key of the opponent.
  • the verification result indicates that the public key is a valid public key, the verification may be performed with respect to the response.
  • the state of the authentication apparatus 100 may be transitioned to the end state S 160 .
  • the state of the authentication apparatus 100 may be transitioned to the fail state S 170 .
  • the authentication apparatus 100 may differently set a read/write right about values which are generated while the unilateral authentication protocol is performed at each operation step or values for performing the unilateral authentication protocol. That is, the values may be modified by an action of an attacker, and thus an influence due to the action affecting the authentication result may be blocked.
  • the authentication controller 110 illustrated in FIG. 3 may adjust an access right about values which are stored in the registers 112 (refer to FIG. 3 ) according to an operating step of the authentication apparatus 100 , or values which are stored in the one-time programmable memory 114 (refer to FIG. 3 ).
  • FIG. 8 is a table for describing management of internal information rights when an authentication apparatus according to an embodiment of the disclosure performs a unilateral authentication protocol.
  • an execution value may be readable and writable.
  • the execution value may be readable, and a request preparation value may be readable and writable.
  • the execution value and the request preparation value may be readable, and a challenge value of the authentication apparatus 100 may be readable and writable.
  • the public key & response input state S 140 the execution value and the request preparation value may be readable, and a public key value of an opponent, a certificate verification value, information data, and a challenge response value of the opponent may be readable and writable.
  • the execution value, the request preparation value, a challenge value of an authentication apparatus 100 , a public key value of the opponent, the certificate verification value, the information data, and the challenge response value of the opponent may be readable, and an intermediate value, a hashed value, and an authentication result value for an authentication protocol may be readable and writable.
  • the authentication result value may be readable and may not be writable.
  • a read or write right setting may be implemented by a status register for storing a bit value.
  • values except values in the table illustrated in FIG. 8 may not be readable and writable.
  • FIG. 9 is a ladder diagram for conceptually describing a unilateral authentication protocol of an authentication apparatus 100 according to an embodiment of the disclosure.
  • a unilateral authentication protocol of the authentication apparatus 100 may be performed as described below.
  • the authentication apparatus 100 may receive an authentication request from an opponent 300 (S 11 ), may generate a challenge corresponding to the authentication request, and may transmit (S 12 ) the challenge to the opponent 300 .
  • the opponent 300 may generate a response using the transmitted challenge.
  • the authentication apparatus 100 may receive a public key and the response of the opponent 300 (S 13 ) and may verify the public key and the response using a secret key of the authentication apparatus 100 (S 14 ). Accordingly, the unilateral authentication protocol may be ended.
  • the opponent 300 may be other components of the device B (refer to FIG. 1 ) including the authentication apparatus 100 or may be the device C (refer to FIG. 1 ) which is placed outside a device (i.e., the devices A or B) including the authentication apparatus 100 .
  • FIG. 10 is a block diagram for describing a procedure of receiving an authentication request when an authentication apparatus 100 according to an embodiment of the disclosure performs a unilateral authentication protocol.
  • an authentication request may be inputted as described below.
  • the authentication apparatus 100 may receive an authentication request at the wait state S 120 (refer to FIG. 7 ) (S 11 ). At this time, the authentication request may be inputted from the device A.
  • the device A may receive the authentication request from any other component or may receive the authentication request from an external device which is placed outside the device A.
  • the device A may transmit the authentication request to the authentication apparatus 100 .
  • the authentication request may be inputted to the authentication controller 110 .
  • FIG. 11 is a block diagram for describing a procedure of generating a challenge corresponding to an authentication request when an authentication apparatus 100 according to an embodiment of the disclosure performs a unilateral authentication protocol.
  • the authentication controller 110 may control the hash function 132 and the random number generator 133 in response to an authentication request (S 12 - 1 ).
  • the random number generator 133 may generate a seed value corresponding to the challenge under control of the authentication controller 110 and may transmit the seed value to the shared memory 140 (S 12 - 2 ).
  • the hash function 132 may generate a random value using the seed value under control of the authentication controller 110 and may transmit the random value to the shared memory 140 (S 12 - 3 ).
  • the random value may be a challenge value.
  • FIG. 11 the procedure of generating the challenge using the hash function 132 and the random number generator 133 is exemplified. However, the scope and spirit of the disclosure may not be limited thereto.
  • the authentication controller 110 may control an input/output operation of the shared memory 140 (S 12 - 4 ).
  • FIG. 12 is a block diagram for describing a procedure of receiving a public key certificate and a response of an opponent when an authentication apparatus 100 according to an embodiment of the disclosure performs a unilateral authentication protocol. Referring to FIGS. 7 to 12 , a procedure of receiving a public key certificate and a response of an opponent will be described below.
  • the authentication apparatus 100 may receive the public key certificate (including a public key) and a response corresponding to a challenge, which are received from the opponent 300 .
  • the public key certificate of the opponent 300 may be inputted to the certificate handler 120 and may be stored in the shared memory 140 (S 13 - 1 ).
  • the certificate handler 120 may process the public key certificate of the opponent 300 stored in the shared memory 140 based on a predefined sequence (S 13 - 2 ).
  • the response of the opponent 300 may be stored in the shared memory 140 via the authentication controller 110 (S 13 - 3 ).
  • the authentication controller 110 may control an overall operation of the shared memory 140 (S 13 - 4 ).
  • FIG. 13 is a block diagram for describing a procedure of verifying a public key certificate and a response of an opponent when an authentication apparatus 100 according to an embodiment of the disclosure performs a unilateral authentication protocol. Referring to FIGS. 7 to 13 , a procedure of verifying a public key certificate and a response of an opponent will be described below.
  • the authentication controller 110 may control the cryptographic primitives 130 and the shared memory 140 so as to repeatedly operate, and thus the authentication controller 110 may verify the public key certificate and the response (S 14 - 1 ).
  • the public key accelerator 131 may repeatedly access the shared memory 140 during a verification operation of the public key certificate and the response (S 14 - 2 ).
  • the hash function 132 may repeatedly access the shared memory 140 during the verification operation of the public key certificate and the response (S 14 - 3 ).
  • the authentication apparatus 100 may be applied to a mutual authentication protocol.
  • FIG. 14 is a state machine diagram for describing a procedure of performing a mutual authentication protocol of an authentication apparatus according to an embodiment of the disclosure. Referring to FIGS. 1 to 6 and 14 , a mutual authentication protocol of the authentication apparatus 100 may be performed as described below.
  • Each of S 210 , S 220 , and S 230 may be performed so as to be the same as or similar to each of S 110 , S 120 , and S 130 illustrated in FIG. 7 , and thus the description thereof may be omitted.
  • the reset and initialization operations for entering the initial state S 210 are the same as, or similar to, those described with respect to FIG. 7 .
  • the execution operation S 211 , receive authentication request operation S 221 , and generation fail operation S 232 are the same as, or similar to, those of operations S 111 , S 121 and S 132 in FIG. 7 , respectively.
  • the authentication apparatus 100 may transition to a public key and challenge state S 240 and transmit (S 241 ) a public key certificate having a public key of the authentication apparatus 100 and the challenge to an opponent while in the public key and challenge transmission state S 240 .
  • the authentication apparatus 100 When the public key certificate having the public key and the challenge of the authentication apparatus 100 are transmitted to the opponent (S 241 ), the authentication apparatus 100 enters the public key and response input state S 250 and the opponent may verify the public key certificate and the challenge of the authentication apparatus 100 and may generate a public key certificate of the opponent, a challenge of the opponent, and a response of the opponent corresponding to the challenge of the authentication apparatus 100 .
  • the authentication apparatus 100 may receive a public key certificate and the response of the opponent (S 251 ) and thereafter enter the public key and response verification state S 260 .
  • the authentication apparatus 100 may verify whether the public key certificate and the response of the opponent are valid while in the public key and response verification state S 260 .
  • the state of the authentication apparatus 100 may be transitioned to a fail state S 295 through a receive fail operation (S 252 ).
  • the authentication apparatus 100 transitions to the challenge generation and transmission state S 270 and may generate a response and may transmit the response to the opponent (S 271 ).
  • the state of the authentication apparatus 100 may be transitioned to the fail state S 295 of the mutual authentication protocol through a verification fail operation S 262 .
  • the authentication apparatus 100 When the authentication apparatus 100 generates the response and transmits the response (S 271 ), the authentication apparatus 100 transitions to a shared secret key generation state S 280 and may generate a shared secret key (S 281 ). When the shared secret key is generated (S 281 ), the authentication apparatus 100 may end the mutual authentication protocol by transitioning to the end state (S 290 ).
  • the authentication apparatus 100 may differently set a read/write right about values which are generated when the mutual authentication protocol is performed at each operation step or values for performing the mutual authentication protocol.
  • FIG. 15 is a table for describing management of internal information rights when an authentication apparatus according to an embodiment of the disclosure performs a mutual authentication protocol.
  • an execution value may be readable and writable.
  • an execution value may be readable and a request preparation value may be readable and writable.
  • the execution value and the request preparation value may be readable, and a challenge value of the authentication apparatus 100 may be readable and writable.
  • the execution value, the request preparation value, the challenge value of the authentication apparatus 100 , a public key certificate of the authentication apparatus 100 may be readable and may not be writable.
  • the execution value and the request preparation value may be readable, and a public key certificate of an opponent, a certificate verification value, information data, and a response value corresponding to a challenge value of the authentication apparatus 100 may be readable and writable.
  • the execution value, the request preparation value, the challenge value of the authentication apparatus 100 , the public key certificate of the opponent, the certificate verification value, the information data, and the response value of the opponent corresponding to the response of the authentication apparatus 100 may be readable, and an intermediate value, a hashed value, and an authentication result value for an authentication protocol may be readable and writable.
  • the execution value, the request preparation value, the challenge value of the authentication apparatus 100 , a secret key value of the authentication apparatus 100 , a challenge from the opponent, a public key certificate of the opponent, and the information data may be readable, and the intermediate value, the hashed value, and an authentication result value may be readable and writable.
  • the execution value, the request preparation value, the challenge value of the authentication apparatus 100 , and a challenge value of the opponent may be readable, and the intermediate value, the hashed value, and the authentication result value may be readable and writable.
  • the authentication result value may be readable and may not be writable.
  • FIG. 16 is a ladder diagram for conceptually describing a mutual authentication protocol of an authentication apparatus 100 according to an embodiment of the disclosure.
  • a mutual authentication protocol of the authentication apparatus 100 may be performed as described below.
  • the authentication apparatus 100 may receive an authentication request from an opponent 400 (S 21 ) and may generate a challenge Challenge_A corresponding to the authentication request (S 23 ).
  • the authentication apparatus 100 may transmit a certificate Certificate_A having a public key and the challenge Challenge_A of the authentication apparatus 100 to the opponent 400 (S 24 ).
  • the opponent 400 may verify the transmitted certificate Certificate_A of the authentication apparatus 100 and may generate a response corresponding to the challenge Challenge_A of the authentication apparatus 100 .
  • the opponent 400 may generate a response Response_O corresponding to the challenge Challenge_A of the authentication apparatus 100 and a challenge Challenge_O of the opponent 400 .
  • the authentication apparatus 100 may receive a public key certificate Certificate_O, which has a public key, of the opponent 400 , the response Response_O of the opponent 400 , and the challenge Challenge_O of the opponent 400 (S 25 ).
  • the authentication apparatus 100 may verify the public key certificate Certificate_O of the opponent 400 and the response Response_O of the opponent 400 (S 26 ). Afterwards, when the verification of the opponent 400 is valid, the authentication apparatus 100 may generate a response Response_A of the authentication apparatus 100 (S 27 ).
  • the authentication apparatus 100 may generate a secret key shared with the opponent 400 (S 28 ). Afterwards, the authentication apparatus 100 may transmit the response Response_O indicating whether a mutual authentication protocol succeeds and the shared secret key to the opponent 400 (S 29 ).
  • the shared secret key may be a session key.
  • FIG. 17 is a block diagram for describing a procedure of transmitting a public key and a challenge of the authentication apparatus 100 to an opponent 400 when an authentication apparatus 100 according to an embodiment of the disclosure performs a mutual authentication protocol.
  • the authentication apparatus 100 may generate a challenge Challenge_A in response to the authentication request of the opponent 400 .
  • a challenge generating method may be executed as described in FIG. 11 .
  • the generated challenge Challenge_A may be stored in the shared memory 140 .
  • the authentication apparatus 100 may transmit the certificate Certificate_A stored in the authentication controller 110 to the opponent 400 (S 24 - 1 ).
  • the authentication apparatus 100 may transmit the challenge Challenge_A, which is stored in the shared memory 140 , of the authentication apparatus 100 to the opponent 400 via the authentication controller 110 (S 24 - 2 ).
  • FIG. 18 is a block diagram for describing a procedure of receiving a public key certificate, a response, and a challenge of an opponent when an authentication apparatus 100 according to an embodiment of the disclosure performs a mutual authentication protocol. Referring to FIGS. 14 to 18 , a procedure of receiving a public key certificate Certificate_O, a response Response_O, and a challenge Challenge_O of an opponent will be described below.
  • the authentication apparatus 100 may receive the public key certificate Certificate_O, the response Response_O, and the challenge Challenge_O of the opponent 400 .
  • the public key certificate Certificate_O of the opponent 400 may be stored in the shared memory 140 via the certificate handler 120 (S 25 - 1 ).
  • the certificate handler 120 may process the public key certificate Certificate_O of the opponent 400 stored in the shared memory 140 based on a predefined sequence (S 25 - 2 ).
  • a response Response_O and a challenge Challenge_O of the opponent 400 may be stored in the shared memory 140 via the authentication controller 110 (S 25 - 3 ).
  • the authentication controller 110 may control an overall operation of the shared memory 140 (S 25 - 4 ).
  • FIG. 19 is a block diagram for describing a procedure of generating a response of the authentication apparatus 100 in response to a challenge of an opponent when an authentication apparatus 100 according to an embodiment of the disclosure performs a mutual authentication protocol. Referring to FIGS. 14 to 19 , a procedure of generating the response Response_A of the authentication apparatus 100 in response to the challenge Challenge_O of the opponent 400 will be described below.
  • the authentication controller 110 may control the cryptographic primitives 130 and the shared memory 140 (S 27 _ 1 ).
  • the public key accelerator 131 may repeatedly access the shared memory 140 (S 27 - 2 ).
  • the hash function 132 may repeatedly access the shared memory 140 (S 27 - 3 ).
  • the generated response Response_A may be transmitted to the opponent 400 via the authentication controller 110 (S 27 - 4 ).
  • FIG. 20 is a block diagram for describing a procedure of generating a shared secret key when an authentication apparatus 100 according to an embodiment of the disclosure performs a mutual authentication protocol. Referring to FIGS. 14 to 20 , a procedure of generating a shared secret key will be described below.
  • the authentication controller 110 may generate the shared secret key by repeatedly accessing the public key accelerator 131 and the shared memory 140 (S 28 - 1 ). To generate the shared secret key, the public key accelerator 131 may repeatedly access the shared memory 140 (S 28 - 2 ).
  • FIG. 21 is a block diagram illustrating a mobile device according to an embodiment of the disclosure.
  • a mobile device 1000 may include a secure element 1020 , a processor (AP/ModAP) 1100 , a buffer memory 1200 , a display/touch module 1300 , and a storage device 1400 .
  • AP/ModAP processor
  • the secure element 1020 may be implemented to provide an overall secure function of the mobile device 1000 .
  • the secure element 1020 may be implemented with software and/or tamper resistant hardware, may permit a high-level of security, and may work to collaborate on a trusted execution environment (TEE) of the processor 1100 .
  • the secure element 1020 may include a Native operating system (OS), a security storage device which is an internal data storage unit, an access control block which controls a right of access to the secure element 1020 , a security function block for performing ownership management, key management, digital signature, encryption/decryption, and the like, and a firmware update block for updating firmware of the secure element 1020 .
  • OS Native operating system
  • security storage device which is an internal data storage unit
  • an access control block which controls a right of access to the secure element 1020
  • a security function block for performing ownership management, key management, digital signature, encryption/decryption, and the like
  • firmware update block for updating firmware of the secure element 1020 .
  • the secure element 1020 may be a universal IC card (UICC) (e.g., USIM, CSIM, and ISIM), a subscriber identity module (SIM) card, an embedded secure elements (eSE), a MicroSD, Stikers, and the like.
  • UICC universal IC card
  • SIM subscriber identity module
  • eSE embedded secure elements
  • the secure element 1020 may include the authentication apparatus 100 described with reference to FIGS. 1 to 20 .
  • An embodiment of the disclosure is exemplified as the authentication apparatus 100 illustrated in FIG. 21 exists outside the processor 1100 .
  • the scope and spirit of the disclosure may not be limited thereto.
  • the authentication apparatus 100 according to an embodiment of the disclosure may exist in the processor 1100 .
  • the processor 1100 may be implemented to control an overall operation of the mobile device 1000 and a wired/wireless communication with an external device.
  • the processor 1100 may be an application processor (AP), an integrated modem application processor (hereinafter referred to as “ModAP”), or the like.
  • AP application processor
  • ModeAP integrated modem application processor
  • the buffer memory 1200 may be implemented to temporarily store data, which is needed when the mobile device 1000 performs a process operation.
  • the display/touch module 1300 may be implemented so as to display data processed from the processor 1100 or to receive data from a touch panel.
  • the storage device 1400 may be implemented so as to store data of a user.
  • the storage device 1400 may be an embedded multimedia card (eMMC), a solid state drive (SSD), a universal flash storage (UFS), or the like.
  • the storage device 1400 may include at least one nonvolatile memory device.
  • the nonvolatile memory may be a NAND flash memory, a vertical NAND flash memory (VNAND), a NOR flash memory, a resistive random access memory (RRAM), a phase change memory (PRAM), a magneto-resistive random access memory (MRAM), a ferroelectric random access memory (FRAM), a spin transfer torque random access memory (STT-RAM), or the like.
  • the nonvolatile memory may be implemented to have a three-dimensional array structure.
  • a three dimensional (3D) memory array is provided.
  • the 3D memory array is monolithically formed in one or more physical levels of arrays of memory cells having an active area disposed above a silicon substrate and circuitry associated with the operation of those memory cells, whether such associated circuitry is above or within such substrate.
  • the term “monolithic” means that layers of each level of the array are directly deposited on the layers of each underlying level of the array.
  • the 3D memory array includes vertical NAND strings that are vertically oriented such that at least one memory cell is located over another memory cell.
  • the at least one memory cell may comprise a charge trap layer.
  • Each vertical NAND string may include at least one select transistor located over memory cells. The at least one select transistor having the same structure with the memory cells and being formed monolithically together with the memory cells.
  • the nonvolatile memory according to an exemplary embodiment of the disclosure may be applicable to a charge trap flash (CTF) in which an insulating layer is used as a charge storage layer, as well as a flash memory device in which a conductive floating gate is used as a charge storage layer.
  • CTF charge trap flash
  • a configuration of an authentication apparatus based on a public key cryptosystem may provide a method in which sub-components share and use a resource, a method of limiting a storage device in a component and utilizing a shared resource, a structure including the sub-component which performs an authentication protocol based on a public key cryptosystem in view of a sequence, and a structure in which the sub-component processes a public key certificate.
  • a hardware structure of the authentication apparatus based on a public key cryptosystem may provide a hardware device for performing an authentication protocol based on a public key cryptosystem and a device for managing a public key certificate.
  • FIG. 22 is a schematic diagram illustrating an IoT network system according to an embodiment of the disclosure.
  • a mobile device 22 - 1 a wearable device 22 - 2 , smart glasses 22 - 3 , a sensor 22 - 4 , or the like may include the authentication apparatus 100 according to an embodiment of the disclosure.
  • a product to which the disclosure is applied may include a device, which supports an authentication based on a public key cryptosystem, such as a light bulb, a thermometer, a motion sensor which support an IoT environment, a smartphone, a print toner, a smartphone flip-cover, an application processor, a display driver integrated circuit (DDI).
  • a device which supports an authentication based on a public key cryptosystem, such as a light bulb, a thermometer, a motion sensor which support an IoT environment, a smartphone, a print toner, a smartphone flip-cover, an application processor, a display driver integrated circuit (DDI).
  • a display driver integrated circuit DRAM
  • the disclosure may be applied to other devices which support an authentication based on a public key cryptosystem as well as the above-described devices.
  • An authentication apparatus may make it possible to reduce a size of a conventional memory which each of the components independently uses by sharing a memory and possible to eliminate a central processing unit (CPU) or a nonvolatile memory (NVM) by including a dedicated module which performs an authentication protocol. Accordingly, the authentication apparatus 100 may be lightened.
  • CPU central processing unit
  • NVM nonvolatile memory
  • circuits may, for example, be embodied in one or more semiconductor chips, or on substrate supports such as printed circuit boards and the like.
  • circuits constituting a block may be implemented by dedicated hardware, or by a processor (e.g., one or more programmed microprocessors and associated circuitry), or by a combination of dedicated hardware to perform some functions of the block and a processor to perform other functions of the block.
  • a processor e.g., one or more programmed microprocessors and associated circuitry
  • Each block of the embodiments may be physically separated into two or more interacting and discrete blocks without departing from the scope of the disclosure.
  • the blocks of the embodiments may be physically combined into more complex blocks without departing from the scope of the disclosure.

Abstract

An authentication apparatus, included in a device supporting a network communication, includes a certificate handler that receives a certificate of an opponent and parses or verifies the certificate of the opponent. Cryptographic primitives receive an authentication request of the opponent, generate a random number in response to the authentication request, generate a challenge corresponding to the random number, and verify a response of the opponent corresponding to the challenge. A shared memory stores the parsed certificate, the random number, the challenge, and the response. An authentication controller controls the certificate handler, the cryptographic primitives, and the shared memory through a register setting, according to an authentication protocol.

Description

CROSS-REFERENCE TO RELATED APPLICATIONS
This U.S. non-provisional patent application claims priority under 35 U.S.C. § 119 to Korean Patent Applications No. 10-2015-0139168 filed Oct. 2, 2015, and No. 10-2015-0168664 filed Nov. 30, 2015, the entire contents of which are hereby incorporated by reference.
BACKGROUND
The disclosure described herein relates to an authentication apparatus based on a public key cryptosystem, a mobile device having the same, and an authentication method thereof.
An internet of things (IoT) means a technology that allows a variety of things including a sensor and a communication function to connect to an internet. Here, the things are various embedded systems such as a home appliance, a mobile device, a wearable device, and the like. In an IoT environment, various devices connect to a network for communication and data sharing, and thus the devices provide a service for a user. At this time, sensitive data associated with privacy of a user is transmitted through a network and is used at a service. To protect personal information and to provide a service, an authentication apparatus identifies another participant of a communication, thereby making it possible to protect privacy through an interaction with an authenticated participant and to provide a service which a user wants.
Nowadays, an authentication target is expanded, and thus there is required an authentication between components in a device. Even though a device is not a device in an IoT environment, when a function of a component among components is provided without an authentication, privacy is infringed due to an attack about sensitive data of a user. In addition, a fake product is manufactured through the reusing or unauthorized use of a specific component. In an authentication at the component level, a function of a genuine product certification is performed by identifying an opponent (e.g., component). Furthermore, a secure service is provided by protecting privacy of a user. Accordingly, there is required a lightweight authentication apparatus which is applied at a device level as well as a component level.
SUMMARY
Embodiments of the disclosure provide a lightened authentication apparatus, a mobile device having the same, and an authentication method thereof.
According to an embodiment of the disclosure, an authentication apparatus included in a device supporting a network communication may include a certificate handler configured to receive a certificate of an opponent and to parse or verify the certificate of the opponent. Cryptographic primitives receive an authentication request of the opponent to generate a random number in response to the authentication request, generate a challenge corresponding to the random number, and verify a response of the opponent corresponding to the challenge. A shared memory stores the parsed certificate, the random number, the challenge, and the response. An authentication controller controls the certificate handler, the cryptographic primitives, and the shared memory through a register setting according to an authentication protocol.
According to an embodiment of the disclosure, a mobile device may include a first component and a second component. At least one of the first or second components comprises an authentication apparatus. The authentication apparatus may include an authentication handler configured to receive, parse or verify a certificate of an opponent. Cryptographic primitives generate a random number, generate a challenge corresponding to the random number, verify a response of the opponent corresponding to the challenge, or generate a response of the authentication apparatus in response to a challenge of the opponent. A shared memory stores the parsed certificate, the random number, the challenge, and the response. An authentication controller controls the certificate handler, the cryptographic primitives, and the shared memory through a register setting according to an authentication protocol, when the mobile device transmits an authentication request to the opponent or the opponent transmits an authentication request to the mobile device.
According to an embodiment of the disclosure, an authentication method of an authentication apparatus may include receiving an authentication request from an opponent; setting a first register indicating the authentication request to be readable and writable; generating a first challenge in response to the authentication request; setting a second register storing the first challenge to be readable and writable; receiving a response corresponding to the first challenge and a first certificate from the opponent; and setting registers for storing the first certificate, a value for verifying the first certificate, information data, and the first response to be readable and writable. The method further includes verifying the first certificate and the first response and setting registers for storing an intermediate value or a result value, which is obtained in the verifying of the first certificate and the first response, to be readable and writable.
According to an embodiment of the disclosure, an authentication apparatus may receive an authentication request of an opponent, verify a response of the opponent in response to the authentication request, and may generate a response of the authentication apparatus corresponding to a challenge of the opponent.
According to an embodiment of the disclosure, an authentication apparatus includes a hash primitive that generates a challenge in response to an authentication request received from an opponent. A memory device stores the challenge. A control circuit receives the challenge from the memory device and transmits the challenge to the opponent. A certificate handler stores a certificate, received from the opponent in response to the challenge, in the memory device. The control circuit further stores a response, received from the opponent in response to the challenge, in the memory device. A public key accelerator primitive receives the response and certificate from the memory device and verifies the received response and certificate.
BRIEF DESCRIPTION OF THE FIGURES
The above and other objects and features will become apparent from the following description with reference to the following figures, wherein like reference numerals refer to like parts throughout the various figures unless otherwise specified, and wherein:
FIG. 1 is a schematic diagram illustrating a network system for performing an authentication method of devices, each of which includes an authentication apparatus according to an embodiment of the disclosure;
FIG. 2 is a block diagram illustrating an authentication apparatus according to an embodiment of the disclosure;
FIG. 3 is a block diagram illustrating an authentication controller illustrated in FIG. 2;
FIG. 4 is a block diagram illustrating cryptographic primitives illustrated in FIG. 2;
FIG. 5 is a block diagram illustrating data areas to be included in a shared memory when an authentication apparatus according to an embodiment of the disclosure performs an authentication protocol;
FIG. 6 is a block diagram for describing the reuse of input/output values, which are stored in a shared memory, of each of components in at least one of the components when an authentication apparatus according to an embodiment of the disclosure performs an authentication protocol;
FIG. 7 is a state machine diagram for describing a procedure of performing a unilateral authentication protocol of an authentication apparatus according to an embodiment of the disclosure;
FIG. 8 is a table for describing management of internal information rights when an authentication apparatus according to an embodiment of the disclosure performs a unilateral authentication protocol;
FIG. 9 is a ladder diagram for conceptually describing a unilateral authentication protocol of an authentication apparatus according to an embodiment of the disclosure;
FIG. 10 is a block diagram for describing a procedure of receiving an authentication request when an authentication apparatus according to an embodiment of the disclosure performs a unilateral authentication protocol;
FIG. 11 is a block diagram for describing a procedure of generating a challenge corresponding to an authentication request when an authentication apparatus according to an embodiment of the disclosure performs a unilateral authentication protocol;
FIG. 12 is a block diagram for describing a procedure of receiving a public key certificate and a response of an opponent when an authentication apparatus according to an embodiment of the disclosure performs a unilateral authentication protocol;
FIG. 13 is a block diagram for describing a procedure of verifying a public key certificate and a response of an opponent when an authentication apparatus according to an embodiment of the disclosure performs a unilateral authentication protocol;
FIG. 14 is a state machine diagram for describing a procedure of performing a mutual authentication protocol of an authentication apparatus according to an embodiment of the disclosure;
FIG. 15 is a table for describing management of internal information rights when an authentication apparatus according to an embodiment of the disclosure performs a mutual authentication protocol;
FIG. 16 is a ladder diagram for conceptually describing a mutual authentication protocol of an authentication apparatus according to an embodiment of the disclosure;
FIG. 17 is a block diagram for describing a procedure of transmitting a public key and a challenge of the authentication apparatus to an opponent when an authentication apparatus according to an embodiment of the disclosure performs a mutual authentication protocol;
FIG. 18 is a block diagram for describing a procedure of receiving a public key certificate, a response, and a challenge of an opponent when an authentication apparatus according to an embodiment of the disclosure performs a mutual authentication protocol;
FIG. 19 is a block diagram for describing a procedure of generating a response of the authentication apparatus in response to a challenge to an opponent when an authentication apparatus according to an embodiment of the disclosure performs a mutual authentication protocol;
FIG. 20 is a block diagram for describing a procedure of generating a shared secret key when an authentication apparatus according to an embodiment of the disclosure performs a mutual authentication protocol;
FIG. 21 is a block diagram illustrating a mobile device according to an embodiment of the disclosure; and
FIG. 22 is a schematic diagram illustrating an IoT network system according to an embodiment of the disclosure.
 DETAILED DESCRIPTION
The present disclosure will be described more fully hereinafter with reference to the accompanying drawings, in which exemplary embodiments of the disclosure are shown. While the disclosure is susceptible to various modifications and alternative forms, specific embodiments thereof are shown by way of example in the drawings and will herein be described in detail. It should be understood, however, that there is no intent to limit the disclosure to the particular forms disclosed, but on the contrary, the disclosure is to cover all modifications, equivalents, and alternatives falling within the spirit and scope of the disclosure.
An authentication apparatus, according to an embodiment of the disclosure, based on a public key cryptosystem may make it possible to reduce a size of a conventional memory, which each of multiple components independently uses, by sharing a memory and make it possible to eliminate a central processing unit (CPU) or a nonvolatile memory (NVM) by including a dedicated module which performs an authentication protocol. Accordingly, an authentication apparatus may be lightened.
The authentication apparatus may need cryptographic hardware which performs a function, which is necessary to provide a service based on a public key cryptosystem, at high speed. The reason may be that the public key cryptosystem includes a scheme or a protocol including operations of an integer which are based on a cryptographic hard problem requiring a high throughput. For example, the operations of an integer may include a modular addition, a modular subtraction, a modular multiplication, and a modular exponentiation. Moreover, the operations of an integer may include a point addition, a point doubling, a scalar multiplication, and a message digest which are on an elliptic curve.
Moreover, the authentication apparatus may be implemented by combining an executor of an integer operation and a hash executor for the message digest. At this time, each of the components may have a resource overlapped with each other. For example, each of the components may separately need a separate memory (e.g., a static random access memory (SRAM)) to perform a unique function. Because the memory is a resource overlapped between components, the memory may be used as a shared memory for optimization and light-weight of an authentication apparatus.
Moreover, a chip size of each of the components may be minimized by storing an internal variable of each of the components in a shared memory. In an embodiment, an authentication function of a product such as a flip-cover of a smartphone, a battery, or a power cable may be implemented so as to perform authentication after a service is provided or while a service is provided. When the authentication fails, a corresponding service may be immediately interrupted.
The authentication apparatus according to an embodiment of the disclosure may not include an independent central processing unit (CPU) for performing authentication based on a public key cryptosystem and a nonvolatile memory (NVM) which stores software (SW) for performing authentication. Moreover, an internal component of the authentication apparatus according to an embodiment of the disclosure may continuously access a shared memory and may operate. Components which independently operate may share a memory with each other and may use the shared memory. At this time, the components may share data, which the components need, through the shared memory.
FIG. 1 is a schematic diagram illustrating a network system for authenticating devices A and B each of which includes an authentication apparatus, according to an embodiment of the disclosure. Referring to FIG. 1, a network system 10 may include a network 11 for a wireless/wired connection among devices A, B, and C. In an embodiment, the network 11 may be an internet of things (IoT) network. In FIG. 1, for descriptive convenience, an embodiment of the disclosure is exemplified as three devices A, B, and C connected to the network 11. However, the scope and spirit of the disclosure may not be limited thereto. For example, the number of devices connecting to the network 11 may be four or more.
The first device A may include a corresponding authentication apparatus 100, and the second device B may include a corresponding authentication apparatus 200. Unlike the first and second devices A and B, the third device C may not include an authentication apparatus.
As illustrated in FIG. 1, an authentication method which is performed by the network system 10 for each device may be roughly classified into two manners. That is, there may be a mutual authentication between the device A including the authentication apparatus 100 and the device B including the authentication apparatus 200 and a unilateral authentication between the device A including the authentication apparatus 100 and the device B including the authentication apparatus 200 and between a device A or B including an authentication device 100 or 200 and the device C not including an authentication apparatus. In an embodiment, the first device A may be a flip cover encompassing a smartphone, the second device B may be a smartphone, and the third device C may be a device not including an authentication apparatus.
Moreover, an authentication apparatus (e.g., the authentication apparatus 200) may be used to perform an internal authentication between first and second components 201 and 202. The internal authentication may include a mutual authentication or a unilateral authentication, just as with the external authentication. In an embodiment, the first component 201 may be a display driver integrated chip (DDI) device, and the second component 202 may be a display device. An embodiment of the disclosure is exemplified in which a component 201 of the device B includes one authentication apparatus 200, in FIG. 1. However, the scope and spirit of the disclosure may not be limited thereto. For example, another component 202 of the device B may include an authentication apparatus. Although not illustrated in FIG. 1, a configuration of the authentication apparatus 100 in the first device A may be similar to a configuration of the authentication apparatus 200 in the second device B.
Meanwhile, the network system 10 illustrated in FIG. 1 is exemplified. However, the scope and spirit of the disclosure may not be limited thereto.
FIG. 2 is a block diagram illustrating an authentication apparatus 100 according to an embodiment of the disclosure. Referring to FIG. 2, an authentication apparatus 100 may include a plurality of components 110, 120, 130, and 140. In an embodiment, the authentication apparatus 100 may include an authentication controller 110, a certificate handler 120, cryptographic primitives 130, and a shared memory 140.
The authentication controller 110 may be implemented so as to perform an authentication protocol based on a public key cryptosystem. Here, the authentication protocol may be an external authentication protocol for communicating with an external device or an internal authentication protocol for communicating with an internal component. The authentication controller 110 may directly execute an authentication protocol through a communication with an opponent. For example, to perform an operation which is required when the authentication protocol is performed, the authentication controller 110 may repeatedly call out the components 120 and 130 each of which performs a unit operation. Moreover, the authentication controller 110 may sequentially adjust an operating point in time of each of the components 120 and 130, and thus the components 110, 120, and 130 may share the shared memory 140. That is, the authentication controller 110 may control the certificate handler 120, the cryptographic primitives 130, and a shared memory 140 to allow other components to use a value which is inputted to one component or outputted from one component through the shared memory 140. In an embodiment, through a register setting, the authentication controller 110 may control the certificate handler 120, the cryptographic primitives 130, and the shared memory 140 which are for the authentication protocol.
The certificate handler 120 may be implemented to manage a public key certificate. The certificate handler 120 may generate, parse, and verify the public key certificate. The certificate handler 120 may parse the public key certificate inputted from the opponent and may store the parsed public key certificate in the shared memory 140. For example, the certificate handler 120 may receive a public key certificate of the opponent and may verify whether the public key certificate of the opponent is valid, using a root certificate of a certificate authority (CA).
To manage a public key certificate, the certificate handler 120 may be implemented so as to frequently and continuously access the shared memory 140. That is, the certificate handler 120 may be implemented so as to store internal variables for generating or verifying a public key certificate in the shared memory 140.
The cryptographic primitives 130 may be implemented so as to perform a public key encryption operation, to perform a hash operation, or to generate a random number.
In an embodiment, when an authentication protocol is performed, the cryptographic primitives 130 may generate a challenge in response to an authentication request of the opponent. At this time, the challenge may be obtained by inputting a random number to a hash algorithm. Furthermore, the cryptographic primitives 130 may verify a response generated from the opponent in response to the challenge of the authentication apparatus 100. For example, the response inputted from the opponent may be a signature value obtained by certifying the challenge of the authentication apparatus 100 using a private key of the opponent. At this time, the cryptographic primitives 130 may verify the response (or the signature value) of the opponent by decoding the challenge using the response of the opponent and a public key certificate of the opponent.
Furthermore, the cryptographic primitives 130 may generate a response (or a signature value) of an authentication apparatus which corresponds to a challenge generated by the opponent.
In an embodiment, the cryptographic primitives 130 may generate a shared secret using a random number which is generated when an authentication protocol is performed.
To perform a public key encryption operation, to perform a hash operation, or to generate a random number, the cryptographic primitives 130 may be implemented so as to frequently and continuously access the shared memory 140. That is, the cryptographic primitives 130 may be implemented so as to store internal variables for an encryption operation, a hash operation, or generation of a random number in the shared memory 140.
The shared memory 140 may be implemented so as to store: (1) data for at least one operation of the authentication controller 110, the certificate handler 120 and the cryptographic primitives 130, (2) data generated during an operation, or (3) data according to a result of an operation. In an embodiment, the shared memory 140 may be implemented with a volatile memory, a nonvolatile memory, or a hybrid memory which is composed of a volatile memory and a nonvolatile memory. For example, the shared memory 140 may be a dynamic random access memory (DRAM), a static random access memory (SRAM), an embedded multimedia card (eMMC), or the like. An input/output control operation of the shared memory 140 may be performed under control of the authentication controller 120. That is, the authentication controller 120 may include a memory controller for controlling the shared memory 140.
In an embodiment, the components 110, 120, 130, and 140 of the authentication apparatus 100 may be implemented so as to connect to each other through data lines 101, 102, 103, 104, and 105. Each of the data lines 101, 102, 103, 104, and 105 may be used as an input/output line for transmitting internal data generated when an authentication protocol is performed.
The components 110, 120, and 130 of the authentication apparatus 100 according to an embodiment of the disclosure may share the shared memory 140. For this reason, input/output values of any one of the components 110, 120, and 130 may be shared by the remaining components. That is, the authentication apparatus 100 according to an embodiment of the disclosure may make it possible to reduce a size of a conventional memory which each of components independently uses, and thus the authentication apparatus 100 may be lightened.
Moreover, the authentication apparatus 100 according to an embodiment of the disclosure may include the component 110 dedicated for an authentication protocol, thereby making it possible to eliminate a central processing unit (CPU), which drives software for performing an authentication protocol, or a nonvolatile memory (NVM). That is, the authentication apparatus 100 may be lightened. In addition, because there is no need to store software for performing an authentication protocol, the authentication apparatus 100 according to an embodiment of the disclosure may make it possible to exclude the possibility that an error of authentication apparatus 100 occurs due to tampering with the software.
The authentication apparatus 100 according to an embodiment of the disclosure may perform an authentication protocol based on a public key cryptosystem by only using the authentication controller 110 for performing an authentication protocol and the certificate handler 120 for processing a public key certificate.
Meanwhile, the authentication apparatus 100 according to an embodiment of the disclosure may be applied to various devices and components, and thus the authentication apparatus 100 may provide a variety of authentication functions in various environments of the devices. The authentication protocol, which the authentication apparatus 100 according to an embodiment of the disclosure supports based on a public key cryptosystem, may be a unilateral authentication and a mutual authentication.
The components may collaboratively operate according to an operation for performing an authentication protocol. In an embodiment, in the case of the unilateral authentication, a result of an operation of the authentication apparatus 100 may be a result value of an identification of the opponent. In another embodiment, in the case of the mutual authentication, a result of an operation of the authentication apparatus 100 may be a result value of an identification of the opponent and a secret value which is used when a session key for a secret communication is generated after the result is generated. The secret value may be shared by the authentication apparatus 100 and the opponent.
Meanwhile, the authentication apparatus 100 illustrated in FIG. 2 is exemplified. However, the scope and spirit of the disclosure may not be limited thereto.
FIG. 3 is a block diagram illustrating an authentication controller 110 illustrated in FIG. 2. Referring to FIG. 3, the authentication controller 110 may include registers 112 and a one-time programmable memory 114.
The registers 112 may include a first register 112-1 which stores an execution value indicating that the authentication apparatus 100 begins an authentication protocol process, a second register 112-2 which stores a preparation value set when an authentication request is received, and a third register 112-3 which stores an authentication result value. When the first register 112-1 is set, the authentication apparatus 100 may begin an authentication protocol operation. When an authentication request is received from an external device, the second register 112-2 may be set. When an authentication protocol is successfully completed, the third register 112-3 may be set.
The one-time programmable memory 114 may be implemented so as to store a certificate 114-1 for the authentication apparatus 100. The certificate 114-1 may include a public key 114-2 and a secret key 114-3 of the authentication apparatus 100 which are required to perform an authentication protocol based on a public key cryptosystem. The one-time programmable memory 114 may be implemented so as to include a counter measure for protecting the secret key 114-3.
Meanwhile, the authentication controller 110 illustrated in FIG. 3 is exemplified. However, the scope and spirit of the disclosure may not be limited thereto.
FIG. 4 is a block diagram illustrating cryptographic primitives 130 illustrated in FIG. 2. Referring to FIG. 4, the cryptographic primitives 130 may include a public key accelerator 131, a hash function 132, and a random number generator 133.
The public key accelerator 131 may be implemented so as to perform a modular operation or a point operation used for an authentication protocol. In an embodiment, the public key accelerator 131 may connect to the authentication controller 110 through a data line 103-1. In an embodiment, the public key accelerator 131 may connect to the shared memory 140 through a data line 104-1.
The hash function 132 may be implemented so as to perform a hash algorithm. In an embodiment, the hash function 132 may connect to the authentication controller 110 through a data line 103-2. In an embodiment, the hash function 132 may connect to the shared memory 140 through a data line 104-2.
The random number generator 133 may be implemented so as to generate a random number. In an embodiment, the random number generator 133 may connect to the authentication controller 110 through a data line 103-3. In an embodiment, the random number generator 133 may connect to the shared memory 140 through a data line 104-3.
Moreover, in an embodiment, the data lines 103-1, 103-2, and 103-3 may be included in the data line 103 illustrated in FIG. 2, and the data lines 104-1, 104-2, and 104-3 may be included in the data line 104 illustrated in FIG. 2.
Meanwhile, the cryptographic primitives 130 illustrated in FIG. 4 are exemplified. However, the scope and spirit of the disclosure may not be limited thereto.
FIG. 5 is a block diagram illustrating data areas to be included in a shared memory 140 when an authentication apparatus 100 according to an embodiment of the disclosure performs an authentication protocol.
The shared memory 140 may include a first area 141 which stores a challenge of the authentication apparatus 100 generated by the authentication controller 110 when an authentication protocol is performed, a second area 142 which stores a response generated by an opponent in response to the challenge of the authentication apparatus 100, a third area 143 which stores a parsed certificate from the opponent, a fourth area 144 which stores a challenge transmitted from the opponent, a fifth area 145 which stores a response generated by the an authentication apparatus 100 in response to the challenge of the opponent, a sixth area 146 which stores an intermediate value for an authentication protocol, and a seventh area 147 which stores a hashed value which is a result value of a hash function. Here, the third area 143 may include an area 143-1 which stores a public key of the opponent, an area 143-2 which stores a value for signature verification, and an area 143-3 which stores information data for performing other authentication protocols.
FIG. 6 is a block diagram for describing the reuse of input/output values, which are stored in the shared memory 140, of each of components 110, 120, and 130 in at least one of components 110, 120, and 130 when an authentication apparatus 100 according to an embodiment of the disclosure performs an authentication protocol.
Input/output values of components 110, 120, and 130 may be stored, as described below. Input/output values of the public key accelerator 131 may be stored in the sixth area 146 of the shared memory 140 through the data line 104-1. Input/output values of the hash function 132 may be stored in the seventh area 147 of the shared memory 140 through the data line 104-2. Input/output values of the random number generator 133 may be stored in the first area 141 of the shared memory 140 through the data line 104-3. Input/output values of the certificate handler 120 may be stored in the third area 143 of the shared memory 140 through the data line 102.
Moreover, values stored in the shared memory 140 which are outputted from one component may be reused at another component, as described below. In an embodiment, a challenge value stored in the first area 141 may be reused at the hash function 132 through the data line 104-5, and the reused result value may be stored in the seventh area 147. In an embodiment, a hashed value stored in the seventh area 147 may be reused at the public key accelerator 131 through the data line 104-6, and the reused result value may be stored in the sixth area 146. In an embodiment, the parsed certificate of the third area 143 may be reused at the public key accelerator 131 through the data line 104-7, and the reused result value may be stored in the sixth area 146. In an embodiment, the parsed certificate of the third area 143 may be reused at the hash function 132 through the data line 104-8, and the reused result value may be stored in the seventh area 147.
Meanwhile, each of the components 110, 120, and 130 of the authentication apparatus 100 may frequently and repeatedly access the shared memory 140 and may generate an output value.
Meanwhile, a method of reusing input/output values of each of the components 110, 120, and 130 illustrated in FIG. 2 is exemplified. However, the scope and spirit of the disclosure may not be limited thereto.
FIG. 7 is a state machine diagram for describing a procedure of performing a unilateral authentication protocol of an authentication apparatus according to an embodiment of the disclosure. Referring to FIGS. 1 to 7, a unilateral authentication protocol of the authentication apparatus 100 may be performed as described below.
When the authentication apparatus 100 is reset, the authentication apparatus 100 may transition to an initial state S110. Moreover, a state of the authentication apparatus 100 may be transitioned from an end state S160 to the initial state S110 by an initialization operation. Moreover, the state of the authentication apparatus 100 may be transitioned from a fail state S170 to the initial state S110 by a reset operation.
In a device including the authentication apparatus 100, when an authentication protocol is performed in response to an internal signal (S111), a state of the authentication apparatus 100 may be transitioned from the initial state S110 to a wait state S120. The authentication apparatus 100 may wait for an authentication request from an opponent which is a target of an authentication protocol at the wait state S120. When the authentication request is inputted from the opponent (S121), the state of the authentication apparatus 100 may be transitioned to a challenge generation state S130. At the challenge generation state S130, a challenge value may be generated from the random number generator 133 of the cryptographic primitives 130 (refer to FIG. 4). The generated challenge value may be transmitted to an external device (i.e., the opponent) which is placed outside the authentication apparatus 100. When the transmitting of the challenge is completed (S131), the state of the authentication apparatus 100 may be transitioned to a public key & response input state S140; otherwise, the state of the authentication apparatus 100 may be transitioned to the fail state S170 upon a failure of the challenge value generation S132. In the public key & response input state S140, a public key of the opponent, which wants to confirm an authorization, and a response corresponding to the challenge of the authentication apparatus 100 may be transmitted to the authentication apparatus 100. When the public key and the response of the opponent are inputted to the authentication apparatus 100 (S141), the state of the authentication apparatus 100 may be transitioned to a public key & response verification state S150; otherwise, the state of the authentication apparatus 100 may be transitioned to the fail state S170 upon a failure to receive the public key and/or response S142. At the public key & response verification state S150, verification may be performed with respect to the public key of the opponent. When the verification result indicates that the public key is a valid public key, the verification may be performed with respect to the response.
When the verification succeeds (S151), the state of the authentication apparatus 100 may be transitioned to the end state S160. On the other hand, when the verification fails (S152), the state of the authentication apparatus 100 may be transitioned to the fail state S170.
Meanwhile, the procedure of performing a unilateral authentication protocol illustrated in FIG. 7 is exemplified. However, the scope and spirit of the disclosure may not be limited thereto.
For example, the authentication apparatus 100 according to an embodiment of the disclosure may differently set a read/write right about values which are generated while the unilateral authentication protocol is performed at each operation step or values for performing the unilateral authentication protocol. That is, the values may be modified by an action of an attacker, and thus an influence due to the action affecting the authentication result may be blocked. To this end, the authentication controller 110 illustrated in FIG. 3 may adjust an access right about values which are stored in the registers 112 (refer to FIG. 3) according to an operating step of the authentication apparatus 100, or values which are stored in the one-time programmable memory 114 (refer to FIG. 3).
FIG. 8 is a table for describing management of internal information rights when an authentication apparatus according to an embodiment of the disclosure performs a unilateral authentication protocol.
At the initial state S110, an execution value may be readable and writable. At the wait state S120, the execution value may be readable, and a request preparation value may be readable and writable. At the challenge generation state S130, the execution value and the request preparation value may be readable, and a challenge value of the authentication apparatus 100 may be readable and writable. At the public key & response input state S140, the execution value and the request preparation value may be readable, and a public key value of an opponent, a certificate verification value, information data, and a challenge response value of the opponent may be readable and writable. At the public key & response verification state S150, the execution value, the request preparation value, a challenge value of an authentication apparatus 100, a public key value of the opponent, the certificate verification value, the information data, and the challenge response value of the opponent may be readable, and an intermediate value, a hashed value, and an authentication result value for an authentication protocol may be readable and writable. At the end state S160 and the fail state S170, the authentication result value may be readable and may not be writable.
In the embodiment, a read or write right setting may be implemented by a status register for storing a bit value.
Meanwhile, values except values in the table illustrated in FIG. 8 may not be readable and writable.
FIG. 9 is a ladder diagram for conceptually describing a unilateral authentication protocol of an authentication apparatus 100 according to an embodiment of the disclosure. Referring to FIG. 9, a unilateral authentication protocol of the authentication apparatus 100 may be performed as described below. The authentication apparatus 100 may receive an authentication request from an opponent 300 (S11), may generate a challenge corresponding to the authentication request, and may transmit (S12) the challenge to the opponent 300. The opponent 300 may generate a response using the transmitted challenge. The authentication apparatus 100 may receive a public key and the response of the opponent 300 (S13) and may verify the public key and the response using a secret key of the authentication apparatus 100 (S14). Accordingly, the unilateral authentication protocol may be ended.
In an embodiment, the opponent 300 may be other components of the device B (refer to FIG. 1) including the authentication apparatus 100 or may be the device C (refer to FIG. 1) which is placed outside a device (i.e., the devices A or B) including the authentication apparatus 100.
FIG. 10 is a block diagram for describing a procedure of receiving an authentication request when an authentication apparatus 100 according to an embodiment of the disclosure performs a unilateral authentication protocol. Referring to FIGS. 7 to 10, an authentication request may be inputted as described below. The authentication apparatus 100 may receive an authentication request at the wait state S120 (refer to FIG. 7) (S11). At this time, the authentication request may be inputted from the device A. The device A may receive the authentication request from any other component or may receive the authentication request from an external device which is placed outside the device A. The device A may transmit the authentication request to the authentication apparatus 100. In an embodiment, the authentication request may be inputted to the authentication controller 110.
FIG. 11 is a block diagram for describing a procedure of generating a challenge corresponding to an authentication request when an authentication apparatus 100 according to an embodiment of the disclosure performs a unilateral authentication protocol. Referring to FIGS. 7 to 11, a procedure of generating a challenge will be described below. To generate a challenge, the authentication controller 110 may control the hash function 132 and the random number generator 133 in response to an authentication request (S12-1). The random number generator 133 may generate a seed value corresponding to the challenge under control of the authentication controller 110 and may transmit the seed value to the shared memory 140 (S12-2). The hash function 132 may generate a random value using the seed value under control of the authentication controller 110 and may transmit the random value to the shared memory 140 (S12-3). Here, the random value may be a challenge value. Meanwhile, as illustrated in FIG. 11, the procedure of generating the challenge using the hash function 132 and the random number generator 133 is exemplified. However, the scope and spirit of the disclosure may not be limited thereto.
In an embodiment, the authentication controller 110 may control an input/output operation of the shared memory 140 (S12-4).
FIG. 12 is a block diagram for describing a procedure of receiving a public key certificate and a response of an opponent when an authentication apparatus 100 according to an embodiment of the disclosure performs a unilateral authentication protocol. Referring to FIGS. 7 to 12, a procedure of receiving a public key certificate and a response of an opponent will be described below.
The authentication apparatus 100 may receive the public key certificate (including a public key) and a response corresponding to a challenge, which are received from the opponent 300. The public key certificate of the opponent 300 may be inputted to the certificate handler 120 and may be stored in the shared memory 140 (S13-1). The certificate handler 120 may process the public key certificate of the opponent 300 stored in the shared memory 140 based on a predefined sequence (S13-2). Moreover, the response of the opponent 300 may be stored in the shared memory 140 via the authentication controller 110 (S13-3). To input the public key certificate and the response, the authentication controller 110 may control an overall operation of the shared memory 140 (S13-4).
FIG. 13 is a block diagram for describing a procedure of verifying a public key certificate and a response of an opponent when an authentication apparatus 100 according to an embodiment of the disclosure performs a unilateral authentication protocol. Referring to FIGS. 7 to 13, a procedure of verifying a public key certificate and a response of an opponent will be described below.
The authentication controller 110 may control the cryptographic primitives 130 and the shared memory 140 so as to repeatedly operate, and thus the authentication controller 110 may verify the public key certificate and the response (S14-1). The public key accelerator 131 may repeatedly access the shared memory 140 during a verification operation of the public key certificate and the response (S14-2). The hash function 132 may repeatedly access the shared memory 140 during the verification operation of the public key certificate and the response (S14-3).
Meanwhile, the authentication apparatus 100 according to an embodiment of the disclosure may be applied to a mutual authentication protocol.
FIG. 14 is a state machine diagram for describing a procedure of performing a mutual authentication protocol of an authentication apparatus according to an embodiment of the disclosure. Referring to FIGS. 1 to 6 and 14, a mutual authentication protocol of the authentication apparatus 100 may be performed as described below.
Each of S210, S220, and S230 may be performed so as to be the same as or similar to each of S110, S120, and S130 illustrated in FIG. 7, and thus the description thereof may be omitted. Similarly, the reset and initialization operations for entering the initial state S210 are the same as, or similar to, those described with respect to FIG. 7. And the execution operation S211, receive authentication request operation S221, and generation fail operation S232 are the same as, or similar to, those of operations S111, S121 and S132 in FIG. 7, respectively.
When a challenge for performing the mutual authentication protocol is generated (S231), the authentication apparatus 100 may transition to a public key and challenge state S240 and transmit (S241) a public key certificate having a public key of the authentication apparatus 100 and the challenge to an opponent while in the public key and challenge transmission state S240.
When the public key certificate having the public key and the challenge of the authentication apparatus 100 are transmitted to the opponent (S241), the authentication apparatus 100 enters the public key and response input state S250 and the opponent may verify the public key certificate and the challenge of the authentication apparatus 100 and may generate a public key certificate of the opponent, a challenge of the opponent, and a response of the opponent corresponding to the challenge of the authentication apparatus 100. The authentication apparatus 100 may receive a public key certificate and the response of the opponent (S251) and thereafter enter the public key and response verification state S260.
When the authentication apparatus 100 receives the public key certificate, the challenge, and the response of the opponent (S251), the authentication apparatus 100 may verify whether the public key certificate and the response of the opponent are valid while in the public key and response verification state S260. On the other hand, when the authentication apparatus 100 does not receive the public key certificate, the challenge, and the response of the opponent during a specific time, the state of the authentication apparatus 100 may be transitioned to a fail state S295 through a receive fail operation (S252).
When the verification succeeds (S261), the authentication apparatus 100 transitions to the challenge generation and transmission state S270 and may generate a response and may transmit the response to the opponent (S271). On the other hand, when the verification fails, the state of the authentication apparatus 100 may be transitioned to the fail state S295 of the mutual authentication protocol through a verification fail operation S262.
When the authentication apparatus 100 generates the response and transmits the response (S271), the authentication apparatus 100 transitions to a shared secret key generation state S280 and may generate a shared secret key (S281). When the shared secret key is generated (S281), the authentication apparatus 100 may end the mutual authentication protocol by transitioning to the end state (S290).
Meanwhile, the procedure of performing a mutual authentication protocol illustrated in FIG. 14 is exemplified. However, the scope and spirit of the disclosure may not be limited thereto.
For example, the authentication apparatus 100 according to an embodiment of the disclosure may differently set a read/write right about values which are generated when the mutual authentication protocol is performed at each operation step or values for performing the mutual authentication protocol.
FIG. 15 is a table for describing management of internal information rights when an authentication apparatus according to an embodiment of the disclosure performs a mutual authentication protocol.
At the initial state S210, an execution value may be readable and writable. At the wait state S220, an execution value may be readable and a request preparation value may be readable and writable. At the challenge generation state S230, the execution value and the request preparation value may be readable, and a challenge value of the authentication apparatus 100 may be readable and writable.
At the public key & challenge transmission state S240, the execution value, the request preparation value, the challenge value of the authentication apparatus 100, a public key certificate of the authentication apparatus 100 may be readable and may not be writable.
At the public key & response input state S250, the execution value and the request preparation value may be readable, and a public key certificate of an opponent, a certificate verification value, information data, and a response value corresponding to a challenge value of the authentication apparatus 100 may be readable and writable.
At the public key and response verification state S260, the execution value, the request preparation value, the challenge value of the authentication apparatus 100, the public key certificate of the opponent, the certificate verification value, the information data, and the response value of the opponent corresponding to the response of the authentication apparatus 100, may be readable, and an intermediate value, a hashed value, and an authentication result value for an authentication protocol may be readable and writable.
At the challenge generation & transmission state S270, the execution value, the request preparation value, the challenge value of the authentication apparatus 100, a secret key value of the authentication apparatus 100, a challenge from the opponent, a public key certificate of the opponent, and the information data may be readable, and the intermediate value, the hashed value, and an authentication result value may be readable and writable.
At the shared secret key generation state S280, the execution value, the request preparation value, the challenge value of the authentication apparatus 100, and a challenge value of the opponent may be readable, and the intermediate value, the hashed value, and the authentication result value may be readable and writable.
At the end state S290 and the fail state S295, the authentication result value may be readable and may not be writable.
FIG. 16 is a ladder diagram for conceptually describing a mutual authentication protocol of an authentication apparatus 100 according to an embodiment of the disclosure. Referring to FIG. 16, a mutual authentication protocol of the authentication apparatus 100 may be performed as described below. The authentication apparatus 100 may receive an authentication request from an opponent 400 (S21) and may generate a challenge Challenge_A corresponding to the authentication request (S23). In the case of the mutual authentication protocol, the authentication apparatus 100 may transmit a certificate Certificate_A having a public key and the challenge Challenge_A of the authentication apparatus 100 to the opponent 400 (S24).
The opponent 400 may verify the transmitted certificate Certificate_A of the authentication apparatus 100 and may generate a response corresponding to the challenge Challenge_A of the authentication apparatus 100. When the verification result indicates that the certificate Certificate_A of the authentication apparatus 100 is valid, the opponent 400 may generate a response Response_O corresponding to the challenge Challenge_A of the authentication apparatus 100 and a challenge Challenge_O of the opponent 400.
The authentication apparatus 100 may receive a public key certificate Certificate_O, which has a public key, of the opponent 400, the response Response_O of the opponent 400, and the challenge Challenge_O of the opponent 400 (S25). The authentication apparatus 100 may verify the public key certificate Certificate_O of the opponent 400 and the response Response_O of the opponent 400 (S26). Afterwards, when the verification of the opponent 400 is valid, the authentication apparatus 100 may generate a response Response_A of the authentication apparatus 100 (S27). The authentication apparatus 100 may generate a secret key shared with the opponent 400 (S28). Afterwards, the authentication apparatus 100 may transmit the response Response_O indicating whether a mutual authentication protocol succeeds and the shared secret key to the opponent 400 (S29). Here, the shared secret key may be a session key.
FIG. 17 is a block diagram for describing a procedure of transmitting a public key and a challenge of the authentication apparatus 100 to an opponent 400 when an authentication apparatus 100 according to an embodiment of the disclosure performs a mutual authentication protocol.
The authentication apparatus 100 may generate a challenge Challenge_A in response to the authentication request of the opponent 400. A challenge generating method may be executed as described in FIG. 11. The generated challenge Challenge_A may be stored in the shared memory 140. To perform a mutual authentication protocol, the authentication apparatus 100 may transmit the certificate Certificate_A stored in the authentication controller 110 to the opponent 400 (S24-1). Moreover, the authentication apparatus 100 may transmit the challenge Challenge_A, which is stored in the shared memory 140, of the authentication apparatus 100 to the opponent 400 via the authentication controller 110 (S24-2).
FIG. 18 is a block diagram for describing a procedure of receiving a public key certificate, a response, and a challenge of an opponent when an authentication apparatus 100 according to an embodiment of the disclosure performs a mutual authentication protocol. Referring to FIGS. 14 to 18, a procedure of receiving a public key certificate Certificate_O, a response Response_O, and a challenge Challenge_O of an opponent will be described below.
The authentication apparatus 100 may receive the public key certificate Certificate_O, the response Response_O, and the challenge Challenge_O of the opponent 400. The public key certificate Certificate_O of the opponent 400 may be stored in the shared memory 140 via the certificate handler 120 (S25-1). The certificate handler 120 may process the public key certificate Certificate_O of the opponent 400 stored in the shared memory 140 based on a predefined sequence (S25-2).
Moreover, a response Response_O and a challenge Challenge_O of the opponent 400 may be stored in the shared memory 140 via the authentication controller 110 (S25-3). To input the public key certificate Certificate_O, the response Response_O and the challenge Challenge_O, the authentication controller 110 may control an overall operation of the shared memory 140 (S25-4).
FIG. 19 is a block diagram for describing a procedure of generating a response of the authentication apparatus 100 in response to a challenge of an opponent when an authentication apparatus 100 according to an embodiment of the disclosure performs a mutual authentication protocol. Referring to FIGS. 14 to 19, a procedure of generating the response Response_A of the authentication apparatus 100 in response to the challenge Challenge_O of the opponent 400 will be described below.
To generate the response Response_A in response to the challenge Challenge_O of the opponent 400, the authentication controller 110 may control the cryptographic primitives 130 and the shared memory 140 (S27_1). To generate the response Response_A of the authentication apparatus 100, the public key accelerator 131 may repeatedly access the shared memory 140 (S27-2). Moreover, to generate the response Response_A of the authentication apparatus 100, the hash function 132 may repeatedly access the shared memory 140 (S27-3). The generated response Response_A may be transmitted to the opponent 400 via the authentication controller 110 (S27-4).
FIG. 20 is a block diagram for describing a procedure of generating a shared secret key when an authentication apparatus 100 according to an embodiment of the disclosure performs a mutual authentication protocol. Referring to FIGS. 14 to 20, a procedure of generating a shared secret key will be described below.
The authentication controller 110 may generate the shared secret key by repeatedly accessing the public key accelerator 131 and the shared memory 140 (S28-1). To generate the shared secret key, the public key accelerator 131 may repeatedly access the shared memory 140 (S28-2).
FIG. 21 is a block diagram illustrating a mobile device according to an embodiment of the disclosure. Referring to FIG. 21, a mobile device 1000 may include a secure element 1020, a processor (AP/ModAP) 1100, a buffer memory 1200, a display/touch module 1300, and a storage device 1400.
The secure element 1020 may be implemented to provide an overall secure function of the mobile device 1000. The secure element 1020 may be implemented with software and/or tamper resistant hardware, may permit a high-level of security, and may work to collaborate on a trusted execution environment (TEE) of the processor 1100. The secure element 1020 may include a Native operating system (OS), a security storage device which is an internal data storage unit, an access control block which controls a right of access to the secure element 1020, a security function block for performing ownership management, key management, digital signature, encryption/decryption, and the like, and a firmware update block for updating firmware of the secure element 1020. For example, the secure element 1020 may be a universal IC card (UICC) (e.g., USIM, CSIM, and ISIM), a subscriber identity module (SIM) card, an embedded secure elements (eSE), a MicroSD, Stikers, and the like.
Moreover, the secure element 1020 according to an embodiment of the disclosure may include the authentication apparatus 100 described with reference to FIGS. 1 to 20. An embodiment of the disclosure is exemplified as the authentication apparatus 100 illustrated in FIG. 21 exists outside the processor 1100. However, the scope and spirit of the disclosure may not be limited thereto. For example, the authentication apparatus 100 according to an embodiment of the disclosure may exist in the processor 1100.
The processor 1100 may be implemented to control an overall operation of the mobile device 1000 and a wired/wireless communication with an external device. For example, the processor 1100 may be an application processor (AP), an integrated modem application processor (hereinafter referred to as “ModAP”), or the like.
The buffer memory 1200 may be implemented to temporarily store data, which is needed when the mobile device 1000 performs a process operation. The display/touch module 1300 may be implemented so as to display data processed from the processor 1100 or to receive data from a touch panel. The storage device 1400 may be implemented so as to store data of a user. The storage device 1400 may be an embedded multimedia card (eMMC), a solid state drive (SSD), a universal flash storage (UFS), or the like. The storage device 1400 may include at least one nonvolatile memory device.
The nonvolatile memory may be a NAND flash memory, a vertical NAND flash memory (VNAND), a NOR flash memory, a resistive random access memory (RRAM), a phase change memory (PRAM), a magneto-resistive random access memory (MRAM), a ferroelectric random access memory (FRAM), a spin transfer torque random access memory (STT-RAM), or the like.
Furthermore, the nonvolatile memory may be implemented to have a three-dimensional array structure. In an embodiment of the disclosure, a three dimensional (3D) memory array is provided. The 3D memory array is monolithically formed in one or more physical levels of arrays of memory cells having an active area disposed above a silicon substrate and circuitry associated with the operation of those memory cells, whether such associated circuitry is above or within such substrate. The term “monolithic” means that layers of each level of the array are directly deposited on the layers of each underlying level of the array.
In an embodiment of the disclosure, the 3D memory array includes vertical NAND strings that are vertically oriented such that at least one memory cell is located over another memory cell. The at least one memory cell may comprise a charge trap layer. Each vertical NAND string may include at least one select transistor located over memory cells. The at least one select transistor having the same structure with the memory cells and being formed monolithically together with the memory cells.
The following patent documents, which are hereby incorporated by reference, describe suitable configurations for three-dimensional memory arrays, in which the three-dimensional memory array is configured as a plurality of levels, with word lines and/or bit lines shared between levels: U.S. Pat. Nos. 7,679,133; 8,553,466; 8,654,587; 8,559,235; and US Pat. Pub. No. 2011/0233648. The nonvolatile memory according to an exemplary embodiment of the disclosure may be applicable to a charge trap flash (CTF) in which an insulating layer is used as a charge storage layer, as well as a flash memory device in which a conductive floating gate is used as a charge storage layer.
A configuration of an authentication apparatus based on a public key cryptosystem may provide a method in which sub-components share and use a resource, a method of limiting a storage device in a component and utilizing a shared resource, a structure including the sub-component which performs an authentication protocol based on a public key cryptosystem in view of a sequence, and a structure in which the sub-component processes a public key certificate.
A hardware structure of the authentication apparatus based on a public key cryptosystem may provide a hardware device for performing an authentication protocol based on a public key cryptosystem and a device for managing a public key certificate.
FIG. 22 is a schematic diagram illustrating an IoT network system according to an embodiment of the disclosure. Referring to FIG. 22, a mobile device 22-1, a wearable device 22-2, smart glasses 22-3, a sensor 22-4, or the like may include the authentication apparatus 100 according to an embodiment of the disclosure.
A product to which the disclosure is applied may include a device, which supports an authentication based on a public key cryptosystem, such as a light bulb, a thermometer, a motion sensor which support an IoT environment, a smartphone, a print toner, a smartphone flip-cover, an application processor, a display driver integrated circuit (DDI). Moreover, the disclosure may be applied to other devices which support an authentication based on a public key cryptosystem as well as the above-described devices.
An authentication apparatus according to an embodiment of the disclosure, a mobile device including the same, and an authentication method thereof may make it possible to reduce a size of a conventional memory which each of the components independently uses by sharing a memory and possible to eliminate a central processing unit (CPU) or a nonvolatile memory (NVM) by including a dedicated module which performs an authentication protocol. Accordingly, the authentication apparatus 100 may be lightened.
As is traditional in the field, embodiments may be described and illustrated in terms of blocks which carry out a described function or functions. These blocks, which may be referred to herein as units or modules or the like, are physically implemented by analog and/or digital circuits such as logic gates, integrated circuits, microprocessors, microcontrollers, memory circuits, passive electronic components, active electronic components, optical components, hardwired circuits and the like, and may optionally be driven by firmware and/or software. The circuits may, for example, be embodied in one or more semiconductor chips, or on substrate supports such as printed circuit boards and the like. The circuits constituting a block may be implemented by dedicated hardware, or by a processor (e.g., one or more programmed microprocessors and associated circuitry), or by a combination of dedicated hardware to perform some functions of the block and a processor to perform other functions of the block. Each block of the embodiments may be physically separated into two or more interacting and discrete blocks without departing from the scope of the disclosure. Likewise, the blocks of the embodiments may be physically combined into more complex blocks without departing from the scope of the disclosure.
While the disclosure has been described with reference to exemplary embodiments, it will be apparent to those skilled in the art that various changes and modifications may be made without departing from the spirit and scope of the disclosure. Therefore, it should be understood that the above embodiments are not limiting, but illustrative.

Claims (20)

What is claimed is:
1. An authentication apparatus included in a device supporting a network communication, the authentication apparatus comprising:
an authentication controller that receives an authentication request from an opponent according to an authentication protocol, the authentication controller including a first register set by the authentication request;
cryptographic primitives that generate a random number in response to the authentication request, generate a challenge corresponding to the random number, and verify a response from the opponent corresponding to the challenge;
a certificate handler that receives a certificate from the opponent and verifies the certificate; and
a shared memory shared by the authentication controller, the cryptographic primitives, and the certificate handler but not the opponent, wherein:
the authentication apparatus differently sets a read or write right about first values generated during the authentication protocol or about second values for performing the authentication protocol,
the cryptographic primitives store the random number and the challenge in the shared memory under control of the authentication controller, and
the certificate handler stores the certificate in the shared memory under control of the authentication controller.
2. The authentication apparatus of claim 1, wherein the authentication controller comprises:
registers that store values for performing the authentication protocol; and
a one-time programmable memory that stores a certificate of the authentication apparatus.
3. The authentication apparatus of claim 2, wherein the registers comprise:
a second register that indicates a start of the authentication protocol; and
a third register that stores a result value of the authentication protocol.
4. The authentication apparatus of claim 2, wherein the certificate of the authentication apparatus comprises a public key of the authentication apparatus and a secret key of the authentication apparatus.
5. The authentication apparatus of claim 1, wherein the cryptographic primitives comprise:
a public key accelerator that performs a modular operation or a point operation for generating the challenge or verifying the response;
a hash function that receives the random number and generates the challenge based on a hash algorithm; and
a random number generator that generates the random number in response to the authentication request.
6. The authentication apparatus of claim 5, wherein:
the public key accelerator repeatedly accesses the shared memory through a first data line,
the hash function repeatedly accesses the shared memory through a second data line, and
the random number generator repeatedly accesses the shared memory through a third data line.
7. The authentication apparatus of claim 5, wherein the shared memory comprises at least one of:
a first area that stores the challenge of the authentication apparatus;
a second area that stores a response of the authentication apparatus;
a third area that stores the certificate of the opponent;
a fourth area that stores a challenge of the opponent;
a fifth area that stores the response of the opponent;
a sixth area that stores an intermediate value when the authentication protocol is performed; and
a seventh area that stores a hashed value of the hash function.
8. The authentication apparatus of claim 7, wherein at least one value stored in the first to seventh areas is reused by at least one of the certificate handler, the cryptographic primitives, and the authentication controller.
9. The authentication apparatus of claim 8, further comprising a predetermined data line that transmits the at least one value.
10. The authentication apparatus of claim 1, wherein the authentication controller differently sets a read or write right of a register corresponding to an operation step when the authentication protocol is performed.
11. A mobile device comprising:
a first component; and
a second component, wherein:
the first component comprises an authentication apparatus, and the authentication apparatus comprises:
an authentication controller that receives an authentication request from an opponent which is the second component according to an authentication protocol, the authentication controller including a first register set by the authentication request;
cryptographic primitives that generate a random number, generate a challenge corresponding to the random number, and verify a response from the opponent corresponding to the challenge;
a certificate handler that receives a certificate from the opponent and verifies the certificate; and
a shared memory shared by the authentication controller, the cryptographic primitives, and the certificate handler but not the opponent,
the authentication apparatus differently sets a read or write right about first values generated during the authentication protocol or about second values for performing the authentication protocol,
the cryptographic primitives store stores the random number and the challenge in the shared memory under control of the authentication controller, and
the certificate handler stores the certificate in the shared memory under control of the authentication controller.
12. The mobile device of claim 11, wherein:
the authentication protocol is a unilateral authentication protocol based on a public key cryptosystem, and
the authentication apparatus performs an operation to receive the authentication request from the opponent, generates the challenge in response to the authentication request, transmits the challenge to the opponent, receives the certificate of the opponent and the response of the opponent from the opponent, and verifies the certificate of the opponent and the response of the opponent.
13. The mobile device of claim 12, wherein the authentication controller receives the authentication request from the opponent and sets a corresponding register in response to the authentication request.
14. The mobile device of claim 12, wherein:
the cryptographic primitives comprise a random number generator and a hash function, and
the authentication controller controls the random number generator, the hash function, and the shared memory so as to generate the random number with the random number generator in response to the authentication request, so as to store the random number in the shared memory, and so as to generate the challenge with the hash function by reusing the random number stored in the shared memory.
15. The mobile device of claim 12, wherein:
a certificate handler parses the certificate of the opponent and stores the certificate in the shared memory, and
the authentication controller receives the response of the opponent and stores the response in the shared memory.
16. The mobile device of claim 15, wherein:
the certificate handler verifies whether the certificate stored in the shared memory is valid, and
when the certificate of the opponent is valid, the authentication controller determines whether the response stored in the shared memory is valid, using the cryptographic primitives.
17. The mobile device of claim 11, wherein:
the authentication protocol is a mutual authentication protocol based on a public key cryptosystem, and
the mutual authentication protocol comprises:
an operation to receive the authentication request from the opponent;
an operation to generate the challenge in response to the authentication request;
an operation to transmit the challenge and the certificate of the authentication apparatus;
an operation to receive the certificate of the opponent, the response of the opponent, and the challenge of the opponent from the opponent;
an operation to verify the certificate of the opponent and the response of the opponent;
an operation to generate the response of the authentication apparatus in response to the challenge of the opponent; and
an operation to generate a shared secret key when an authentication operation succeeds.
18. The mobile device of claim 11, wherein:
the mobile device is a smartphone, and
the opponent is a flip cover encasing the smartphone.
19. An authentication apparatus comprising:
a hash primitive that generates a challenge in response to an authentication request received from an opponent according to an authentication protocol;
a shared memory device that stores the challenge;
a control circuit that receives the challenge from the shared memory device and transmits the challenge to the opponent;
a certificate handler that stores a certificate, received from the opponent in response to the challenge, in the shared memory device, and verifies the certificate of the shared memory device;
the control circuit further stores a response, received from the opponent in response to the challenge, in the shared memory device; and
a public key accelerator primitive that receives the response from the shared memory device and verifies the response, wherein
the authentication apparatus differently sets a read or write right about first values generated during the authentication protocol or about second values for performing the authentication protocol, and
the shared memory device is shared by the hash primitive, the control circuit, the certificate handler, and the public key accelerator primitive but not the opponent.
20. The authentication apparatus of claim 19, wherein the public key accelerator primitive generates, upon verifying the response and certificate, an authentication result and stores the authentication result in the shared memory device.
US15/212,343 2015-10-02 2016-07-18 Authentication apparatus based on public key cryptosystem, mobile device having the same and authentication method Active 2038-04-06 US11070380B2 (en)

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
KR10-2015-0139168 2015-10-02
KR20150139168 2015-10-02
KR1020150168664A KR102458351B1 (en) 2015-10-02 2015-11-30 Authentication apparatus based on public key cryptosystem, mobile device having the same and authentication method thereof
KR10-2015-0168664 2015-11-30

Publications (2)

Publication Number Publication Date
US20170099151A1 US20170099151A1 (en) 2017-04-06
US11070380B2 true US11070380B2 (en) 2021-07-20

Family

ID=58448098

Family Applications (1)

Application Number Title Priority Date Filing Date
US15/212,343 Active 2038-04-06 US11070380B2 (en) 2015-10-02 2016-07-18 Authentication apparatus based on public key cryptosystem, mobile device having the same and authentication method

Country Status (1)

Country Link
US (1) US11070380B2 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11381537B1 (en) * 2021-06-11 2022-07-05 Oracle International Corporation Message transfer agent architecture for email delivery systems

Families Citing this family (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105187450B (en) * 2015-10-08 2019-05-10 飞天诚信科技股份有限公司 A kind of method and apparatus authenticated based on authenticating device
EP3379789A1 (en) 2017-03-20 2018-09-26 Koninklijke Philips N.V. Mutual authentication system
US10178187B2 (en) 2017-04-01 2019-01-08 Paul Stuart Swengler System and methods for internet of things (IoT) device authentication and security
US10887090B2 (en) * 2017-09-22 2021-01-05 Nec Corporation Scalable byzantine fault-tolerant protocol with partial tee support
CN107749854B (en) * 2017-10-30 2019-12-27 武汉烽火信息集成技术有限公司 Single sign-on method and system based on client
US10678950B2 (en) * 2018-01-26 2020-06-09 Rockwell Automation Technologies, Inc. Authenticated backplane access
US11190507B2 (en) * 2018-09-27 2021-11-30 Apple Inc. Trusted device establishment
EP4222623A1 (en) * 2020-10-01 2023-08-09 Oboren Systems, Inc. Exclusive self-escrow method and apparatus
CN113347004A (en) * 2021-06-04 2021-09-03 南京华盾电力信息安全测评有限公司 Encryption method for power industry

Citations (25)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030126458A1 (en) * 2000-12-28 2003-07-03 Kabushiki Kaisha Toshiba Method for sharing encrypted data region among processes in tamper resistant processor
US20050154889A1 (en) 2004-01-08 2005-07-14 International Business Machines Corporation Method and system for a flexible lightweight public-key-based mechanism for the GSS protocol
US20060150241A1 (en) 2004-12-30 2006-07-06 Samsung Electronics Co., Ltd. Method and system for public key authentication of a device in home network
US20070060216A1 (en) * 2005-09-12 2007-03-15 Cheng-Wen Huang Portable communication apparatus
US7269726B1 (en) 2000-01-14 2007-09-11 Hewlett-Packard Development Company, L.P. Lightweight public key infrastructure employing unsigned certificates
US20090136035A1 (en) 2007-11-27 2009-05-28 Samsung Electronics Co., Ltd. Public key infrastructure-based bluetooth smart-key system and operating method thereof
US7679133B2 (en) 2007-11-08 2010-03-16 Samsung Electronics Co., Ltd. Vertical-type non-volatile memory devices
US20100153719A1 (en) 2008-12-17 2010-06-17 Information And Communications University Lightweight Authentication Method and System for Low-Cost Devices Without Pseudorandom Number Generator
US20110093714A1 (en) 2009-10-20 2011-04-21 Infineon Technologies Ag Systems and methods for asymmetric cryptographic accessory authentication
US8000469B2 (en) 2000-04-13 2011-08-16 Broadcom Corporation Authentication engine architecture and method
US20110233648A1 (en) 2010-03-26 2011-09-29 Samsung Electronics Co., Ltd. Three-Dimensional Semiconductor Memory Devices And Methods Of Fabricating The Same
US8087073B2 (en) 2001-03-27 2011-12-27 Microsoft Corporation Authentication architecture
US8112626B1 (en) 2006-01-20 2012-02-07 Symantec Corporation Method and apparatus to provide public key authentication with low complexity devices
US8254581B2 (en) 2007-05-22 2012-08-28 Intel Corporation Lightweight key distribution and management method for sensor networks
US8291229B2 (en) 2008-01-17 2012-10-16 Hitachi, Ltd. System and method for digital signatures and authentication
US8522035B2 (en) 2011-09-20 2013-08-27 Blackberry Limited Assisted certificate enrollment
US8553466B2 (en) 2010-03-04 2013-10-08 Samsung Electronics Co., Ltd. Non-volatile memory device, erasing method thereof, and memory system including the same
US8559235B2 (en) 2010-08-26 2013-10-15 Samsung Electronics Co., Ltd. Nonvolatile memory device, operating method thereof and memory system including the same
US8630411B2 (en) 2011-02-17 2014-01-14 Infineon Technologies Ag Systems and methods for device and data authentication
US8654587B2 (en) 2010-08-11 2014-02-18 Samsung Electronics Co., Ltd. Nonvolatile memory devices, channel boosting methods thereof, programming methods thereof, and memory systems including the same
US8694783B2 (en) 2007-01-22 2014-04-08 Samsung Electronics Co., Ltd. Lightweight secure authentication channel
US20150163059A1 (en) 2007-06-11 2015-06-11 Nxp B.V. Method of generating a public key for an electronic device and electronic device
US20150222629A1 (en) 2012-12-23 2015-08-06 Mcafee, Inc. Hardware-based device authentication
US9111283B1 (en) 2010-06-14 2015-08-18 Impinj, Inc. RFID tag authentication with public-key cryptography
US9223958B2 (en) 2005-01-07 2015-12-29 Apple Inc. Accessory authentication for electronic devices

Patent Citations (25)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7269726B1 (en) 2000-01-14 2007-09-11 Hewlett-Packard Development Company, L.P. Lightweight public key infrastructure employing unsigned certificates
US8000469B2 (en) 2000-04-13 2011-08-16 Broadcom Corporation Authentication engine architecture and method
US20030126458A1 (en) * 2000-12-28 2003-07-03 Kabushiki Kaisha Toshiba Method for sharing encrypted data region among processes in tamper resistant processor
US8087073B2 (en) 2001-03-27 2011-12-27 Microsoft Corporation Authentication architecture
US20050154889A1 (en) 2004-01-08 2005-07-14 International Business Machines Corporation Method and system for a flexible lightweight public-key-based mechanism for the GSS protocol
US20060150241A1 (en) 2004-12-30 2006-07-06 Samsung Electronics Co., Ltd. Method and system for public key authentication of a device in home network
US9223958B2 (en) 2005-01-07 2015-12-29 Apple Inc. Accessory authentication for electronic devices
US20070060216A1 (en) * 2005-09-12 2007-03-15 Cheng-Wen Huang Portable communication apparatus
US8112626B1 (en) 2006-01-20 2012-02-07 Symantec Corporation Method and apparatus to provide public key authentication with low complexity devices
US8694783B2 (en) 2007-01-22 2014-04-08 Samsung Electronics Co., Ltd. Lightweight secure authentication channel
US8254581B2 (en) 2007-05-22 2012-08-28 Intel Corporation Lightweight key distribution and management method for sensor networks
US20150163059A1 (en) 2007-06-11 2015-06-11 Nxp B.V. Method of generating a public key for an electronic device and electronic device
US7679133B2 (en) 2007-11-08 2010-03-16 Samsung Electronics Co., Ltd. Vertical-type non-volatile memory devices
US20090136035A1 (en) 2007-11-27 2009-05-28 Samsung Electronics Co., Ltd. Public key infrastructure-based bluetooth smart-key system and operating method thereof
US8291229B2 (en) 2008-01-17 2012-10-16 Hitachi, Ltd. System and method for digital signatures and authentication
US20100153719A1 (en) 2008-12-17 2010-06-17 Information And Communications University Lightweight Authentication Method and System for Low-Cost Devices Without Pseudorandom Number Generator
US20110093714A1 (en) 2009-10-20 2011-04-21 Infineon Technologies Ag Systems and methods for asymmetric cryptographic accessory authentication
US8553466B2 (en) 2010-03-04 2013-10-08 Samsung Electronics Co., Ltd. Non-volatile memory device, erasing method thereof, and memory system including the same
US20110233648A1 (en) 2010-03-26 2011-09-29 Samsung Electronics Co., Ltd. Three-Dimensional Semiconductor Memory Devices And Methods Of Fabricating The Same
US9111283B1 (en) 2010-06-14 2015-08-18 Impinj, Inc. RFID tag authentication with public-key cryptography
US8654587B2 (en) 2010-08-11 2014-02-18 Samsung Electronics Co., Ltd. Nonvolatile memory devices, channel boosting methods thereof, programming methods thereof, and memory systems including the same
US8559235B2 (en) 2010-08-26 2013-10-15 Samsung Electronics Co., Ltd. Nonvolatile memory device, operating method thereof and memory system including the same
US8630411B2 (en) 2011-02-17 2014-01-14 Infineon Technologies Ag Systems and methods for device and data authentication
US8522035B2 (en) 2011-09-20 2013-08-27 Blackberry Limited Assisted certificate enrollment
US20150222629A1 (en) 2012-12-23 2015-08-06 Mcafee, Inc. Hardware-based device authentication

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11381537B1 (en) * 2021-06-11 2022-07-05 Oracle International Corporation Message transfer agent architecture for email delivery systems
US11784959B2 (en) * 2021-06-11 2023-10-10 Oracle International Corporation Message transfer agent architecture for email delivery systems

Also Published As

Publication number Publication date
US20170099151A1 (en) 2017-04-06

Similar Documents

Publication Publication Date Title
US11070380B2 (en) Authentication apparatus based on public key cryptosystem, mobile device having the same and authentication method
US11809335B2 (en) Apparatuses and methods for securing an access protection scheme
US10839391B2 (en) Method and apparatus for secure offline payment
TWI740409B (en) Verification of identity using a secret key
US11843705B2 (en) Dynamic certificate management as part of a distributed authentication system
US8060925B2 (en) Processor, memory, computer system, and method of authentication
JP2022527757A (en) Generating the ID of a computing device using a physical duplication difficulty function
US10318765B2 (en) Protecting critical data structures in an embedded hypervisor system
US20160026799A1 (en) Security device having indirect access to external non-volatile memory
US20180081827A1 (en) Securely Binding Between Memory Chip and Host
US11615207B2 (en) Security processor configured to authenticate user and authorize user for user data and computing system including the same
JP2022527163A (en) Verification of the validity of data stored in memory using cryptographic hashes
US11423182B2 (en) Storage device providing function of securely discarding data and operating method thereof
US20230259629A1 (en) Secure programming of one-time-programmable (otp) memory
KR20210134053A (en) How to Validate Over-the-Air Updates
KR20210132211A (en) Blockchain-based verification of memory commands
KR20210132721A (en) Secure communication when accessing the network
KR102458351B1 (en) Authentication apparatus based on public key cryptosystem, mobile device having the same and authentication method thereof
US20220050605A1 (en) Remote enforcement of device memory
US11669610B2 (en) Authentication device, method and system
US20220385485A1 (en) Identity theft protection with no password access
US20230015334A1 (en) Deriving dependent symmetric encryption keys based upon a type of secure boot using a security processor
TW201721506A (en) Hardware protection based on fabrication characteristics

Legal Events

Date Code Title Description
AS Assignment

Owner name: SAMSUNG ELECTRONICS CO., LTD., KOREA, REPUBLIC OF

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:KIM, KITAK;KANG, JI-SU;BAE, KISEOK;AND OTHERS;SIGNING DATES FROM 20160503 TO 20160511;REEL/FRAME:039182/0490

STPP Information on status: patent application and granting procedure in general

Free format text: RESPONSE TO NON-FINAL OFFICE ACTION ENTERED AND FORWARDED TO EXAMINER

STPP Information on status: patent application and granting procedure in general

Free format text: FINAL REJECTION MAILED

STPP Information on status: patent application and granting procedure in general

Free format text: RESPONSE AFTER FINAL ACTION FORWARDED TO EXAMINER

STPP Information on status: patent application and granting procedure in general

Free format text: ADVISORY ACTION MAILED

STPP Information on status: patent application and granting procedure in general

Free format text: DOCKETED NEW CASE - READY FOR EXAMINATION

STPP Information on status: patent application and granting procedure in general

Free format text: NON FINAL ACTION MAILED

STPP Information on status: patent application and granting procedure in general

Free format text: RESPONSE TO NON-FINAL OFFICE ACTION ENTERED AND FORWARDED TO EXAMINER

STPP Information on status: patent application and granting procedure in general

Free format text: ADVISORY ACTION MAILED

STCV Information on status: appeal procedure

Free format text: APPEAL BRIEF (OR SUPPLEMENTAL BRIEF) ENTERED AND FORWARDED TO EXAMINER

STPP Information on status: patent application and granting procedure in general

Free format text: NOTICE OF ALLOWANCE MAILED -- APPLICATION RECEIVED IN OFFICE OF PUBLICATIONS

STPP Information on status: patent application and granting procedure in general

Free format text: AWAITING TC RESP., ISSUE FEE NOT PAID

STPP Information on status: patent application and granting procedure in general

Free format text: NOTICE OF ALLOWANCE MAILED -- APPLICATION RECEIVED IN OFFICE OF PUBLICATIONS

STPP Information on status: patent application and granting procedure in general

Free format text: PUBLICATIONS -- ISSUE FEE PAYMENT RECEIVED

STPP Information on status: patent application and granting procedure in general

Free format text: PUBLICATIONS -- ISSUE FEE PAYMENT VERIFIED

STCF Information on status: patent grant

Free format text: PATENTED CASE